Headline
GHSA-gfrh-gwqc-63cv: Sulu HTML Injection via Autocomplete Suggestion
Impact
It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form. Only admin users are affected and only admin users can create tags.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem is patched with Version 2.4.16 and 2.5.12.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Create a custom mutation observer
References
Are there any links users can visit to find out more?
Currently not.
For more information
If you have any questions or comments about this advisory:
- Open an issue in sulu/sulu repository
- Email us at [email protected]
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-24807
Sulu HTML Injection via Autocomplete Suggestion
Low severity GitHub Reviewed Published Feb 5, 2024 in sulu/sulu • Updated Feb 5, 2024
Package
Affected versions
>= 2.0.0, < 2.4.16
>= 2.5.0, < 2.5.12
Patched versions
2.4.16
2.5.12
Impact
It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form.
Only admin users are affected and only admin users can create tags.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem is patched with Version 2.4.16 and 2.5.12.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Create a custom mutation observer
References
Are there any links users can visit to find out more?
Currently not.
For more information
If you have any questions or comments about this advisory:
- Open an issue in sulu/sulu repository
- Email us at [email protected]
References
- GHSA-gfrh-gwqc-63cv
- sulu/sulu@570c781
Published to the GitHub Advisory Database
Feb 5, 2024