GitHub_MVULNRICHMENT:CVE-2024-24807CVE-2024-24807 Sulu is vulnerable to HTML Injection via Autocomplete Suggestion
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:sulu:sulu:-:*:*:*:*:*:*:*"
],
"vendor": "sulu",
"product": "sulu",
"versions": [
{
"status": "affected",
"version": "-"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:a:sulu:sulu:-:*:*:*:*:*:*:*"
],
"vendor": "sulu",
"product": "sulu",
"versions": [
{
"status": "affected",
"version": "-"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial