Lucene search

GitHub Advisory DatabaseGHSA-GFRH-GWQC-63CV

HistoryFeb 05, 2024 - 8:24 p.m.

Sulu HTML Injection via Autocomplete Suggestion

2024-02-0520:24:18

CWE-79

CWE-80

GitHub Advisory Database

github.com

html injection

autocomplete

sulu

admin users

patch

version 2.4.16

version 2.5.12

mutation observer

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.3%

JSON

Impact

It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form.
Only admin users are affected and only admin users can create tags.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with Version 2.4.16 and 2.5.12.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Create a custom mutation observer

References

Are there any links users can visit to find out more?

Currently not.

For more information

If you have any questions or comments about this advisory:

Open an issue in sulu/sulu repository
Email us at [email protected]

Affected configurations

Vulners

Node

sulusuluRange<2.5.12

sulusuluRange<2.4.16

CPENameOperatorVersion
sulu/sulult2.5.12
sulu/sulult2.4.16

CPE	Name	Operator	Version
	sulu/sulu	lt	2.5.12
	sulu/sulu	lt	2.4.16