Lucene search

GitHub Advisory DatabaseGHSA-GM2X-6475-G9R8

HistoryJul 02, 2021 - 6:32 p.m.

XSS Injection in Media Collection Title was possible

2021-07-0218:32:18

CWE-79

GitHub Advisory Database

github.com

xss

injection

media collection

title

admin

script

workarounds

js files

security advisory

sulu io

software

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

19.4%

JSON

Impact

A logged in admin user was possible to add a script injection (XSS) in the collection title which was executed.

Workarounds

Manual patching the js files.

For more information

If you have any questions or comments about this advisory:’

Email us at [email protected]

Affected configurations

Vulners

Node

sulusuluRange<1.6.41

References

github.com/advisories/GHSA-gm2x-6475-g9r8

github.com/sulu/sulu/releases/tag/1.6.41

github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8

nvd.nist.gov/vuln/detail/CVE-2021-32737

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

19.4%

JSON

Related for GHSA-GM2X-6475-G9R8