Lucene search

GitHub_MCVELIST:CVE-2021-32737

HistoryJul 02, 2021 - 5:55 p.m.

CVE-2021-32737 XSS Injection in Media Collection Title was possible

2021-07-0217:55:09

CWE-79

GitHub_M

www.cve.org

xss injection

sulu cms

php

content management system

security patch

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

19.4%

JSON

Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating.

CNA Affected

[
  {
    "product": "sulu",
    "vendor": "sulu",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.6.41"
      }
    ]
  }
]

References

github.com/sulu/sulu/releases/tag/1.6.41

github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

19.4%

JSON

Related for CVELIST:CVE-2021-32737