CVE-2024-37156

The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:sulu:suluformbundle:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:23

Type Values Removed Values Added
References () https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17 - Patch () https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17 - Patch
References () https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3 - Vendor Advisory () https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3 - Vendor Advisory

09 Oct 2024, 15:08

Type Values Removed Values Added
CPE cpe:2.3:a:sulu:suluformbundle:*:*:*:*:*:*:*:*
References () https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17 - () https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17 - Patch
References () https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3 - () https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3 - Vendor Advisory
First Time Sulu
Sulu suluformbundle

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) SuluFormBundle agrega soporte para crear formularios dinámicos en Sulu Admin. El parámetro de obtención de TokenController formName no se sanitiza en el campo de entrada devuelto, lo que conduce a XSS. Esta vulnerabilidad se solucionó en 2.5.3.

06 Jun 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 16:15

Updated : 2024-11-21 09:23


NVD link : CVE-2024-37156

Mitre link : CVE-2024-37156

CVE.ORG link : CVE-2024-37156


JSON object : View

Products Affected

sulu

  • suluformbundle
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)