CVE-2024-24807

Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*
cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:59

Type Values Removed Values Added
References () https://github.com/sulu/sulu/releases/tag/2.4.16 - Release Notes () https://github.com/sulu/sulu/releases/tag/2.4.16 - Release Notes
References () https://github.com/sulu/sulu/releases/tag/2.5.12 - Release Notes () https://github.com/sulu/sulu/releases/tag/2.5.12 - Release Notes
References () https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv - Vendor Advisory () https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv - Vendor Advisory
CVSS v2 : unknown
v3 : 4.8
v2 : unknown
v3 : 2.7

12 Feb 2024, 21:41

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.8
CPE cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*
CWE CWE-79
First Time Sulu
Sulu sulu
References () https://github.com/sulu/sulu/releases/tag/2.5.12 - () https://github.com/sulu/sulu/releases/tag/2.5.12 - Release Notes
References () https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv - () https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv - Vendor Advisory
References () https://github.com/sulu/sulu/releases/tag/2.4.16 - () https://github.com/sulu/sulu/releases/tag/2.4.16 - Release Notes

05 Feb 2024, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-05 21:15

Updated : 2024-11-21 08:59


NVD link : CVE-2024-24807

Mitre link : CVE-2024-24807

CVE.ORG link : CVE-2024-24807


JSON object : View

Products Affected

sulu

  • sulu
CWE
CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')