5.4

CVE-2024-47618

Sulu vulnerable to XSS via uploaded SVG

Sulu is a PHP content management system. Sulu is vulnerable against XSS whereas a low privileged user with access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers. This issue is fixed in 2.6.5.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SuluSulu Version > 2.0.0 < 2.6.5
SuluSulu Version2.0.0 Update-
SuluSulu Version2.0.0 Updaterc1
SuluSulu Version2.0.0 Updaterc2
SuluSulu Version2.0.0 Updaterc3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.35% 0.269
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 5.1 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9
Patch
https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44
Vendor Advisory