Sulu XSS Vulnerability (GHSA-255w-87rh-rg44)

Sulu is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:sulu:sulu"; if...

Cross-site Scripting (XSS)

Overview sulu/sulu is a highly extensible open-source PHP content management system based on the Symfony framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS via uploaded SVG files. An attacker can execute arbitrary JavaScript code on the victim's browser by...

GHSA-255W-87RH-RG44 Cross-site Scripting via uploaded SVG

In Sulu v2.0.0 through v2.6.4 are vulnerable against XSS whereas a low privileged user with an access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ other users including admins browsers...

Cross-site Scripting via uploaded SVG

In Sulu v2.0.0 through v2.6.4 are vulnerable against XSS whereas a low privileged user with an access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ other users including admins browsers...

CVE-2024-47618

Sulu is a PHP content management system vulnerable to cross-site scripting (XSS) via uploaded SVG files. The issue allows a low-privilege user with access to the Media section to upload an SVG containing malicious payload, which executes in other users’ browsers when accessed. The vulnerability i...

PT-2024-32677 · Sulu · Sulu

Name of the Vulnerable Software and Affected Versions: Sulu versions 2.0.0 through 2.6.4 Description: Sulu, a PHP content management system, is vulnerable to XSS attacks. A low-privileged user with access to the "Media" section can upload an SVG file containing a malicious payload. Once uploaded...

pixiv: Disclose Hidden Comments on Media Section of hub.vroid.com

A vulnerability was discovered in the Media section of the website where hidden comments could be disclosed. By intercepting a request to like a specific comment, the attacker was able to retrieve the content of the hidden comment, which should have only been visible to the original poster...

BIT-WORDPRESS-2020-11026 Specially crafted filenames in WordPress leading to XSS

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previousl...

CVE-2020-11026

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previousl...

Debian: Security Advisory (DLA-2208-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2020-11026

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previousl...

CVE-2020-11026

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previousl...

CVE-2020-11026

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previousl...

CVE-2020-11026 Specially crafted filenames in WordPress leading to XSS

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previousl...

CVE-2020-11026

CVE-2020-11026 affects WordPress; vulnerable in affected versions where uploading files with specially crafted names to Media can trigger script execution when the file is accessed. The issue requires an authenticated user with upload privileges. A patch was issued in WordPress 5.4.1, and all pre...

visir.is XSS vulnerability

Vulnerable URL: http://www.visir.is/section/media?template=radiojson%00ao7lz...

Mail.ru: [sales.mail.ru] CRLF Injection

В разделе media портала sales.mail.ru существует редирект, который удаляет GET-параметры: GET https://sales.mail.ru/media/foo?bar 302 Moved Temporarily Location: http://sales.mail.ru/media/foo Он подвержен CRLF-инъекции, что позволяет атакующему внедрить произвольный заголовок в ответ сервера: GE...