Skip to content

Sulu HTML Injection via Autocomplete Suggestion

Low severity GitHub Reviewed Published Feb 5, 2024 in sulu/sulu • Updated Feb 5, 2024

Package

composer sulu/sulu (Composer)

Affected versions

>= 2.0.0, < 2.4.16
>= 2.5.0, < 2.5.12

Patched versions

2.4.16
2.5.12

Description

Impact

It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form.
Only admin users are affected and only admin users can create tags.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with Version 2.4.16 and 2.5.12.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Create a custom mutation observer

References

Are there any links users can visit to find out more?

Currently not.

For more information

If you have any questions or comments about this advisory:

References

@alexander-schranz alexander-schranz published to sulu/sulu Feb 5, 2024
Published to the GitHub Advisory Database Feb 5, 2024
Reviewed Feb 5, 2024
Last updated Feb 5, 2024

Severity

Low

EPSS score

0.053%
(23rd percentile)

CVE ID

CVE-2024-24807

GHSA ID

GHSA-gfrh-gwqc-63cv

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.