PHP/sulu/sulu/2.0.0-RC3

Core framework that implements the functionality of the Sulu content management system

https://packagist.org/packages/sulu/sulu
MIT

2 Security Vulnerabilities

GHSA-255w-87rh-rg44

Published date: 2024-10-03T18:25:40Z
CVE: CVE-2024-47618
Links:

Cross-site Scripting via uploaded SVG

In Sulu v2.0.0 through v2.6.4 are vulnerable against XSS whereas a low privileged user with an access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers.

Affected versions: ["2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "2.6.0-RC2", "2.6.0-RC1", "2.5.20", "2.5.19", "2.5.18", "2.5.17", "2.5.16", "2.5.15", "2.5.14", "2.5.13", "2.5.12", "2.5.11", "2.5.10", "2.5.9", "2.5.8", "2.5.7", "2.5.6", "2.5.5", "2.5.4", "2.5.3", "2.5.2", "2.5.1", "2.5.0", "2.5.0-alpha1", "2.4.20", "2.4.19", "2.4.18", "2.4.17", "2.4.16", "2.4.15", "2.4.14", "2.4.13", "2.4.12", "2.4.11", "2.4.10", "2.4.9", "2.4.8", "2.4.7", "2.4.6", "2.4.5", "2.4.4", "2.4.3", "2.4.2", "2.4.1", "2.4.0", "2.4.0-RC1", "2.3.13", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.0-RC2", "2.3.0-RC1", "2.2.19", "2.2.18", "2.2.17", "2.2.16", "2.2.15", "2.2.14", "2.2.13", "2.2.12", "2.2.11", "2.2.10", "2.2.9", "2.2.8", "2.2.7", "2.2.6", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0-RC1", "2.1.14", "2.1.13", "2.1.12", "2.1.11", "2.1.10", "2.1.9", "2.1.8", "2.1.7", "2.1.6", "2.1.5", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.1.0-RC2", "2.1.0-RC1", "2.0.12", "2.0.11", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0-RC3", "2.0.0-RC2", "2.0.0-RC1"]
Secure versions: [2.6.22, 3.0.0-RC1, 3.0.0-RC2, 3.0.0-alpha3, 3.0.0-alpha4, 3.0.0-alpha5, 3.0.0-beta1, 3.0.0-beta2, 3.0.0-beta3, 3.0.0-beta4, 3.0.5]
Recommendation: Update to version 3.0.5.

GHSA-6h7h-m7p5-hjqp

Published date: 2026-03-30T18:04:10Z
CVE: CVE-2026-34372
Links:

Sulu checks fix permissions for subentities endpoints

Impact

A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.

Patches

The issue was patched in release 2.6.22 and 3.0.5.

Workarounds

Create a Symfony Request Listener checking the permissions for the specific roles.

Resources

Github Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp

Affected versions: ["3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.6.21", "2.6.20", "2.6.19", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "2.6.0-RC2", "2.6.0-RC1", "2.5.33", "2.5.32", "2.5.31", "2.5.30", "2.5.29", "2.5.28", "2.5.27", "2.5.26", "2.5.25", "2.5.24", "2.5.23", "2.5.22", "2.5.21", "2.5.20", "2.5.19", "2.5.18", "2.5.17", "2.5.16", "2.5.15", "2.5.14", "2.5.13", "2.5.12", "2.5.11", "2.5.10", "2.5.9", "2.5.8", "2.5.7", "2.5.6", "2.5.5", "2.5.4", "2.5.3", "2.5.2", "2.5.1", "2.5.0", "2.5.0-alpha1", "2.4.20", "2.4.19", "2.4.18", "2.4.17", "2.4.16", "2.4.15", "2.4.14", "2.4.13", "2.4.12", "2.4.11", "2.4.10", "2.4.9", "2.4.8", "2.4.7", "2.4.6", "2.4.5", "2.4.4", "2.4.3", "2.4.2", "2.4.1", "2.4.0", "2.4.0-RC1", "2.3.13", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.0-RC2", "2.3.0-RC1", "2.2.19", "2.2.18", "2.2.17", "2.2.16", "2.2.15", "2.2.14", "2.2.13", "2.2.12", "2.2.11", "2.2.10", "2.2.9", "2.2.8", "2.2.7", "2.2.6", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0-RC1", "2.1.14", "2.1.13", "2.1.12", "2.1.11", "2.1.10", "2.1.9", "2.1.8", "2.1.7", "2.1.6", "2.1.5", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.1.0-RC2", "2.1.0-RC1", "2.0.12", "2.0.11", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0-RC3", "2.0.0-RC2", "2.0.0-RC1", "2.0.0-alpha6", "2.0.0-alpha5", "2.0.0-alpha4", "2.0.0-alpha3", "2.0.0-alpha2", "2.0.0-alpha1", "1.6.46", "1.6.45", "1.6.44", "1.6.43", "1.6.42", "1.6.41", "1.6.40", "1.6.39", "1.6.38", "1.6.37", "1.6.36", "1.6.35", "1.6.34", "1.6.33", "1.6.32", "1.6.31", "1.6.30", "1.6.29", "1.6.28", "1.6.27", "1.6.26", "1.6.25", "1.6.24", "1.6.23", "1.6.22", "1.6.21", "1.6.20", "1.6.19", "1.6.18", "1.6.17", "1.6.16", "1.6.15", "1.6.14", "1.6.13", "1.6.12", "1.6.11", "1.6.10", "1.6.9", "1.6.8", "1.6.7", "1.6.6", "1.6.5", "1.6.4", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.6.0-RC1", "1.5.24", "1.5.23", "1.5.22", "1.5.21", "1.5.20", "1.5.19", "1.5.18", "1.5.17", "1.5.16", "1.5.15", "1.5.14", "1.5.13", "1.5.12", "1.5.11", "1.5.10", "1.5.9", "1.5.8", "1.5.7", "1.5.6", "1.5.5", "1.5.4", "1.5.3", "1.5.2", "1.5.1", "1.5.0", "1.5.0-RC3", "1.5.0-RC2", "1.5.0-RC1", "1.4.12", "1.4.11", "1.4.10", "1.4.9", "1.4.8", "1.4.7", "1.4.6", "1.4.5", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0-RC2", "1.4.0-RC1", "1.3.11", "1.3.10", "1.3.9", "1.3.8", "1.3.7", "1.3.6", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.3.0-RC3", "1.3.0-RC2", "1.3.0-RC1", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.2.0-RC4", "1.2.0-RC3", "1.2.0-RC2", "1.2.0-RC1", "1.1.12", "1.1.11", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.1.0-RC2", "1.1.0-RC1", "1.1.0-beta1", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0"]
Secure versions: [2.6.22, 3.0.0-RC1, 3.0.0-RC2, 3.0.0-alpha3, 3.0.0-alpha4, 3.0.0-alpha5, 3.0.0-beta1, 3.0.0-beta2, 3.0.0-beta3, 3.0.0-beta4, 3.0.5]
Recommendation: Update to version 3.0.5.

381 Other Versions

Version License Security Released
3.0.5 MIT 2026-03-27 - 14:15 29 days
3.0.4 MIT 1 2026-02-12 - 18:02 2 months
3.0.3 MIT 1 2026-01-16 - 11:55 3 months
3.0.2 MIT 1 2026-01-09 - 12:41 4 months
3.0.1 MIT 1 2025-12-23 - 08:58 4 months
3.0.0 MIT 1 2025-11-25 - 23:52 5 months
3.0.0-RC2 MIT 2025-11-24 - 11:26 5 months
3.0.0-RC1 MIT 2025-11-14 - 19:45 5 months
3.0.0-beta4 MIT 2025-11-07 - 10:03 6 months
3.0.0-beta3 MIT 2025-10-28 - 16:19 6 months
3.0.0-beta2 MIT 2025-10-22 - 08:03 6 months
3.0.0-beta1 MIT 2025-09-10 - 09:33 8 months
3.0.0-alpha5 MIT 2025-08-20 - 13:33 8 months
3.0.0-alpha4 MIT 2025-07-16 - 16:18 9 months
3.0.0-alpha3 MIT 2025-05-14 - 12:54 12 months
3.0.0-alpha2 MIT 1 2025-04-24 - 12:22 about 1 year
3.0.0-alpha1 MIT 1 2025-04-10 - 11:27 about 1 year
2.6.22 MIT 2026-03-27 - 14:13 29 days
2.6.21 MIT 1 2026-02-12 - 17:47 2 months
2.6.20 MIT 1 2026-01-16 - 11:51 3 months
2.6.19 MIT 1 2026-01-09 - 12:41 4 months
2.6.18 MIT 1 2025-12-23 - 08:36 4 months
2.6.17 MIT 1 2025-11-22 - 15:13 5 months
2.6.16 MIT 1 2025-11-14 - 08:13 5 months
2.6.15 MIT 1 2025-11-07 - 09:49 6 months
2.6.14 MIT 1 2025-10-28 - 13:21 6 months
2.6.13 MIT 1 2025-10-22 - 07:48 6 months
2.6.12 MIT 1 2025-09-09 - 14:35 8 months
2.6.11 MIT 1 2025-08-20 - 13:08 8 months
2.6.10 MIT 1 2025-07-16 - 15:13 9 months
2.6.9 MIT 1 2025-05-14 - 12:53 12 months
2.6.8 MIT 2 2025-04-10 - 07:39 about 1 year
2.6.7 MIT 2 2025-02-05 - 17:10 about 1 year
2.6.6 MIT 2 2024-11-27 - 12:35 over 1 year
2.6.5 MIT 2 2024-10-02 - 14:49 over 1 year
2.6.4 MIT 3 2024-07-25 - 12:21 over 1 year
2.6.3 MIT 3 2024-06-27 - 11:28 almost 2 years
2.6.2 MIT 3 2024-05-16 - 13:38 almost 2 years
2.6.1 MIT 3 2024-05-06 - 09:28 almost 2 years
2.6.0 MIT 3 2024-05-02 - 13:36 almost 2 years
2.6.0-RC2 MIT 2 2024-04-15 - 16:15 about 2 years
2.6.0-RC1 MIT 2 2024-03-29 - 08:34 about 2 years
2.5.33 MIT 1 2025-11-22 - 15:12 5 months
2.5.32 MIT 1 2025-11-07 - 12:19 6 months
2.5.31 MIT 1 2025-11-07 - 09:05 6 months
2.5.30 MIT 1 2025-10-28 - 12:14 6 months
2.5.29 MIT 1 2025-10-22 - 07:44 6 months
2.5.28 MIT 1 2025-09-08 - 06:46 8 months
2.5.27 MIT 1 2025-08-20 - 13:04 8 months
2.5.26 MIT 1 2025-07-16 - 14:26 9 months