← volver
CVE-2024-24807

Sulu is vulnerable to HTML Injection via Autocomplete Suggestion

CVSS 2.7 LOWEPSS 0.5%CWE-80
Vexday Risk Score
8Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 2.7EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
05 feb 2024Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Productos afectados
sulu · sulu

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/sulu/sulu/releases/tag/2.4.16https://github.com/sulu/sulu/releases/tag/2.5.12https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv