Lucene search

Veracode Vulnerability DatabaseVERACODE:45367

HistoryFeb 06, 2024 - 9:29 a.m.

HTML Injection

2024-02-0609:29:23

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

sulu

html injection

tag name

auto-complete form

vulnerability

improper html sanitization

software

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.3%

JSON

Sulu is vulnerable to HTML Injection. The vulnerability is due to improper HTML sanitization within the the Tag name. The HTML is executed when the tag name is listed in the auto complete form.

CPENameOperatorVersion
sulu/sulule2.4.15
sulu/sulule2.5.11
sulu/sulule2.4.15
sulu/sulule2.5.11

Name	Operator	Version
sulu/sulu	le	2.4.15
sulu/sulu	le	2.5.11
sulu/sulu	le	2.4.15
sulu/sulu	le	2.5.11

References

github.com/sulu/sulu/commit/570c78124ae97cb02469141b86ac69d9fb2cb147

github.com/sulu/sulu/releases/tag/2.4.16

github.com/sulu/sulu/releases/tag/2.5.12

github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv