CVE-2024-47618

Sulu is a PHP content management system. Sulu is vulnerable against XSS whereas a low privileged user with access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers. This issue is fixed in 2.6.5.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9	Patch
https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sulu:sulu::::::::
	cpe:2.3:a:sulu:sulu:2.0.0:-::::::
	cpe:2.3:a:sulu:sulu:2.0.0:rc1::::::
	cpe:2.3:a:sulu:sulu:2.0.0:rc2::::::
	cpe:2.3:a:sulu:sulu:2.0.0:rc3::::::

History

08 Oct 2024, 14:31

Type	Values Removed	Values Added
References	~~() https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9 -~~	() https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9 - Patch
References	~~() https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44 -~~	() https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44 - Vendor Advisory
CPE		cpe:2.3:a:sulu:sulu:::::::: cpe:2.3:a:sulu:sulu:2.0.0:-:::::: cpe:2.3:a:sulu:sulu:2.0.0:rc3:::::: cpe:2.3:a:sulu:sulu:2.0.0:rc2:::::: cpe:2.3:a:sulu:sulu:2.0.0:rc1::::::
First Time		Sulu sulu Sulu
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4

04 Oct 2024, 13:50

Type	Values Removed	Values Added
Summary		(es) Sulu es un sistema de gestión de contenido PHP. Sulu es vulnerable a XSS, ya que un usuario con pocos privilegios y acceso a la sección “Medios” puede cargar un archivo SVG con una carga maliciosa. Una vez cargado y accedido, el código JavaScript malicioso se ejecutará en los navegadores de las víctimas (otros usuarios, incluidos los administradores). Este problema se solucionó en la versión 2.6.5.

03 Oct 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-03 15:15

Updated : 2024-10-08 14:31

NVD link : CVE-2024-47618

Mitre link : CVE-2024-47618

CVE.ORG link : CVE-2024-47618

JSON object : View

Products Affected

sulu

sulu

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10