CVE-2024-27915

EPSS 0.16%
Veröffentlicht 06.03.2024 20:15:47
Zuletzt bearbeitet 08.01.2025 18:37:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sulu ≫ Sulu Version >= 2.2.0 < 2.4.17

Sulu ≫ Sulu Version >= 2.5.0 < 2.5.13

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.368

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	6.8	1.6	5.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da

Patch

https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2024-27915

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27915

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27915

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-27915