Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nZnJoLWd3cWMtNjNjds4AA5El

Sulu HTML Injection via Autocomplete Suggestion

Impact

It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form.
Only admin users are affected and only admin users can create tags.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with Version 2.4.16 and 2.5.12.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Create a custom mutation observer

References

Are there any links users can visit to find out more?

Currently not.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-gfrh-gwqc-63cv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nZnJoLWd3cWMtNjNjds4AA5El
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 25 days ago
Updated: 25 days ago


Identifiers: GHSA-gfrh-gwqc-63cv, CVE-2024-24807
References:

Affected Packages

packagist:sulu/sulu
Versions: >= 2.5.0, < 2.5.12, >= 2.0.0, < 2.4.16
Fixed in: 2.5.12, 2.4.16