Описание
Cross-site Scripting via uploaded SVG
In Sulu v2.0.0 through v2.6.4 are vulnerable against XSS whereas a low privileged user with an access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers.
Пакеты
sulu/sulu
>= 2.0.0-RC1, < 2.5.21
2.5.21
sulu/sulu
>= 2.6.0-RC1, < 2.6.5
2.6.5
Связанные уязвимости
Sulu is a PHP content management system. Sulu is vulnerable against XSS whereas a low privileged user with access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers. This issue is fixed in 2.6.5.