CVE-2024-24807

Опубликовано: 05 фев. 2024

Источник: nvd

CVSS3: 2.7

CVSS3: 4.8

EPSS Низкий

Описание

Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.

Ссылки

https://github.com/sulu/sulu/releases/tag/2.4.16
Release Notes
https://github.com/sulu/sulu/releases/tag/2.5.12
Release Notes
https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv
Vendor Advisory
https://github.com/sulu/sulu/releases/tag/2.4.16
Release Notes
https://github.com/sulu/sulu/releases/tag/2.5.12
Release Notes
https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.4.16 (исключая)

cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*

Версия от 2.5.0 (включая) до 2.5.12 (исключая)

EPSS

Процентиль: 74%

0.00837

Низкий

2.7 Low

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-80

CWE-79

Связанные уязвимости

GHSA-gfrh-gwqc-63cv

github

около 2 лет назад

Sulu HTML Injection via Autocomplete Suggestion

EPSS

Процентиль: 74%

0.00837

Низкий

2.7 Low

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-80

CWE-79