PHP/sulu/sulu/2.6.2
Core framework that implements the functionality of the Sulu content management system
https://packagist.org/packages/sulu/sulu
MIT
3 Security Vulnerabilities
GHSA-255w-87rh-rg44
Published date: 2024-10-03T18:25:40Z
CVE: CVE-2024-47618
Links:
Cross-site Scripting via uploaded SVG
In Sulu v2.0.0 through v2.6.4 are vulnerable against XSS whereas a low privileged user with an access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers.
Affected versions: ["2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "2.6.0-RC2", "2.6.0-RC1", "2.5.20", "2.5.19", "2.5.18", "2.5.17", "2.5.16", "2.5.15", "2.5.14", "2.5.13", "2.5.12", "2.5.11", "2.5.10", "2.5.9", "2.5.8", "2.5.7", "2.5.6", "2.5.5", "2.5.4", "2.5.3", "2.5.2", "2.5.1", "2.5.0", "2.5.0-alpha1", "2.4.20", "2.4.19", "2.4.18", "2.4.17", "2.4.16", "2.4.15", "2.4.14", "2.4.13", "2.4.12", "2.4.11", "2.4.10", "2.4.9", "2.4.8", "2.4.7", "2.4.6", "2.4.5", "2.4.4", "2.4.3", "2.4.2", "2.4.1", "2.4.0", "2.4.0-RC1", "2.3.13", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.0-RC2", "2.3.0-RC1", "2.2.19", "2.2.18", "2.2.17", "2.2.16", "2.2.15", "2.2.14", "2.2.13", "2.2.12", "2.2.11", "2.2.10", "2.2.9", "2.2.8", "2.2.7", "2.2.6", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0-RC1", "2.1.14", "2.1.13", "2.1.12", "2.1.11", "2.1.10", "2.1.9", "2.1.8", "2.1.7", "2.1.6", "2.1.5", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.1.0-RC2", "2.1.0-RC1", "2.0.12", "2.0.11", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0-RC3", "2.0.0-RC2", "2.0.0-RC1"]
Secure versions: [2.6.22, 3.0.0-RC1, 3.0.0-RC2, 3.0.0-alpha3, 3.0.0-alpha4, 3.0.0-alpha5, 3.0.0-beta1, 3.0.0-beta2, 3.0.0-beta3, 3.0.0-beta4, 3.0.5]
Recommendation: Update to version 3.0.5.
GHSA-6784-9c82-vr85
Published date: 2024-10-03T18:26:26Z
CVE: CVE-2024-47617
Links:
- https://github.com/sulu/sulu/security/advisories/GHSA-6784-9c82-vr85
- https://nvd.nist.gov/vuln/detail/CVE-2024-47617
- https://github.com/sulu/sulu/commit/a5a5ae555d282e88ff8559d38cfb46dea7939bda
- https://github.com/sulu/sulu/commit/eeacd14b6cf55f710084788140d40ebb00314b29
- https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php#L106
- https://github.com/advisories/GHSA-6784-9c82-vr85
Injection of arbitrary HTML/JavaScript code through the media download URL
Impact
This vulnerability allows an attacker to inject arbitrary HTML/JavaScript code through the media download URL in Sulu CMS. It affects the SuluMediaBundle component. The vulnerability is a Reflected Cross-Site Scripting (XSS) issue, which could potentially allow attackers to steal sensitive information, manipulate the website's content, or perform actions on behalf of the victim.
Patches
The problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are:
- 2.6.4
- 2.5.20
Workarounds
Until an official patch is released, users can implement additional input validation and output encoding for the 'slug' parameter in the MediaStreamController's downloadAction method. Alternatively, configuring a Web Application Firewall (WAF) to filter potentially malicious input could serve as a temporary mitigation.
References
- GitHub repository: https://github.com/sulu/sulu
- Vulnerable code: https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php#L106
Affected versions: ["2.5.20", "2.5.19", "2.5.18", "2.5.17", "2.5.16", "2.5.15", "2.5.14", "2.5.13", "2.5.12", "2.5.11", "2.5.10", "2.5.9", "2.5.8", "2.5.7", "2.5.6", "2.5.5", "2.5.4", "2.5.3", "2.5.2", "2.5.1", "2.5.0", "2.5.0-alpha1", "2.4.20", "2.4.19", "2.4.18", "2.4.17", "2.4.16", "2.4.15", "2.4.14", "2.4.13", "2.4.12", "2.4.11", "2.4.10", "2.4.9", "2.4.8", "2.4.7", "2.4.6", "2.4.5", "2.4.4", "2.4.3", "2.4.2", "2.4.1", "2.4.0", "2.4.0-RC1", "2.3.13", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.0-RC2", "2.3.0-RC1", "2.2.19", "2.2.18", "2.2.17", "2.2.16", "2.2.15", "2.2.14", "2.2.13", "2.2.12", "2.2.11", "2.2.10", "2.2.9", "2.2.8", "2.2.7", "2.2.6", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0-RC1", "2.1.14", "2.1.13", "2.1.12", "2.1.11", "2.1.10", "2.1.9", "2.1.8", "2.1.7", "2.1.6", "2.1.5", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.1.0-RC2", "2.1.0-RC1", "2.0.12", "2.0.11", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0"]
Secure versions: [2.6.22, 3.0.0-RC1, 3.0.0-RC2, 3.0.0-alpha3, 3.0.0-alpha4, 3.0.0-alpha5, 3.0.0-beta1, 3.0.0-beta2, 3.0.0-beta3, 3.0.0-beta4, 3.0.5]
Recommendation: Update to version 3.0.5.
GHSA-6h7h-m7p5-hjqp
Published date: 2026-03-30T18:04:10Z
CVE: CVE-2026-34372
Links:
Sulu checks fix permissions for subentities endpoints
Impact
A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.
Patches
The issue was patched in release 2.6.22 and 3.0.5.
Workarounds
Create a Symfony Request Listener checking the permissions for the specific roles.
Resources
Github Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp
Affected versions: ["3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.6.21", "2.6.20", "2.6.19", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "2.6.0-RC2", "2.6.0-RC1", "2.5.33", "2.5.32", "2.5.31", "2.5.30", "2.5.29", "2.5.28", "2.5.27", "2.5.26", "2.5.25", "2.5.24", "2.5.23", "2.5.22", "2.5.21", "2.5.20", "2.5.19", "2.5.18", "2.5.17", "2.5.16", "2.5.15", "2.5.14", "2.5.13", "2.5.12", "2.5.11", "2.5.10", "2.5.9", "2.5.8", "2.5.7", "2.5.6", "2.5.5", "2.5.4", "2.5.3", "2.5.2", "2.5.1", "2.5.0", "2.5.0-alpha1", "2.4.20", "2.4.19", "2.4.18", "2.4.17", "2.4.16", "2.4.15", "2.4.14", "2.4.13", "2.4.12", "2.4.11", "2.4.10", "2.4.9", "2.4.8", "2.4.7", "2.4.6", "2.4.5", "2.4.4", "2.4.3", "2.4.2", "2.4.1", "2.4.0", "2.4.0-RC1", "2.3.13", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.3.0-RC2", "2.3.0-RC1", "2.2.19", "2.2.18", "2.2.17", "2.2.16", "2.2.15", "2.2.14", "2.2.13", "2.2.12", "2.2.11", "2.2.10", "2.2.9", "2.2.8", "2.2.7", "2.2.6", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0-RC1", "2.1.14", "2.1.13", "2.1.12", "2.1.11", "2.1.10", "2.1.9", "2.1.8", "2.1.7", "2.1.6", "2.1.5", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.1.0-RC2", "2.1.0-RC1", "2.0.12", "2.0.11", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0-RC3", "2.0.0-RC2", "2.0.0-RC1", "2.0.0-alpha6", "2.0.0-alpha5", "2.0.0-alpha4", "2.0.0-alpha3", "2.0.0-alpha2", "2.0.0-alpha1", "1.6.46", "1.6.45", "1.6.44", "1.6.43", "1.6.42", "1.6.41", "1.6.40", "1.6.39", "1.6.38", "1.6.37", "1.6.36", "1.6.35", "1.6.34", "1.6.33", "1.6.32", "1.6.31", "1.6.30", "1.6.29", "1.6.28", "1.6.27", "1.6.26", "1.6.25", "1.6.24", "1.6.23", "1.6.22", "1.6.21", "1.6.20", "1.6.19", "1.6.18", "1.6.17", "1.6.16", "1.6.15", "1.6.14", "1.6.13", "1.6.12", "1.6.11", "1.6.10", "1.6.9", "1.6.8", "1.6.7", "1.6.6", "1.6.5", "1.6.4", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.6.0-RC1", "1.5.24", "1.5.23", "1.5.22", "1.5.21", "1.5.20", "1.5.19", "1.5.18", "1.5.17", "1.5.16", "1.5.15", "1.5.14", "1.5.13", "1.5.12", "1.5.11", "1.5.10", "1.5.9", "1.5.8", "1.5.7", "1.5.6", "1.5.5", "1.5.4", "1.5.3", "1.5.2", "1.5.1", "1.5.0", "1.5.0-RC3", "1.5.0-RC2", "1.5.0-RC1", "1.4.12", "1.4.11", "1.4.10", "1.4.9", "1.4.8", "1.4.7", "1.4.6", "1.4.5", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0-RC2", "1.4.0-RC1", "1.3.11", "1.3.10", "1.3.9", "1.3.8", "1.3.7", "1.3.6", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.3.0-RC3", "1.3.0-RC2", "1.3.0-RC1", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.2.0-RC4", "1.2.0-RC3", "1.2.0-RC2", "1.2.0-RC1", "1.1.12", "1.1.11", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.1.0-RC2", "1.1.0-RC1", "1.1.0-beta1", "1.0.15", "1.0.14", "1.0.13", "1.0.12", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0"]
Secure versions: [2.6.22, 3.0.0-RC1, 3.0.0-RC2, 3.0.0-alpha3, 3.0.0-alpha4, 3.0.0-alpha5, 3.0.0-beta1, 3.0.0-beta2, 3.0.0-beta3, 3.0.0-beta4, 3.0.5]
Recommendation: Update to version 3.0.5.
381 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 2.3.12 | MIT | 5 | 2022-06-09 - 09:26 | almost 4 years |
| 2.3.11 | MIT | 5 | 2022-04-05 - 11:37 | about 4 years |
| 2.3.10 | MIT | 5 | 2022-03-02 - 18:07 | about 4 years |
| 2.3.9 | MIT | 5 | 2021-12-16 - 13:05 | over 4 years |
| 2.3.8 | MIT | 5 | 2021-12-15 - 14:40 | over 4 years |
| 2.3.7 | MIT | 7 | 2021-11-09 - 15:19 | over 4 years |
| 2.3.6 | MIT | 7 | 2021-10-06 - 13:12 | over 4 years |
| 2.3.5 | MIT | 7 | 2021-09-30 - 13:40 | over 4 years |
| 2.3.4 | MIT | 7 | 2021-08-24 - 13:52 | over 4 years |
| 2.3.3 | MIT | 7 | 2021-08-16 - 14:38 | over 4 years |
| 2.3.2 | MIT | 7 | 2021-08-11 - 12:33 | over 4 years |
| 2.3.1 | MIT | 7 | 2021-06-17 - 14:26 | almost 5 years |
| 2.3.0 | MIT | 7 | 2021-05-27 - 10:48 | almost 5 years |
| 2.3.0-RC2 | MIT | 5 | 2021-05-20 - 13:50 | almost 5 years |
| 2.3.0-RC1 | MIT | 5 | 2021-05-12 - 13:19 | almost 5 years |
| 2.2.19 | MIT | 5 | 2021-12-16 - 12:52 | over 4 years |
| 2.2.18 | MIT | 5 | 2021-12-15 - 13:49 | over 4 years |
| 2.2.17 | MIT | 7 | 2021-11-09 - 12:30 | over 4 years |
| 2.2.16 | MIT | 7 | 2021-10-06 - 13:08 | over 4 years |
| 2.2.15 | MIT | 7 | 2021-09-30 - 10:18 | over 4 years |
| 2.2.14 | MIT | 7 | 2021-08-24 - 09:51 | over 4 years |
| 2.2.13 | MIT | 7 | 2021-08-16 - 14:04 | over 4 years |
| 2.2.12 | MIT | 7 | 2021-08-11 - 12:29 | over 4 years |
| 2.2.11 | MIT | 7 | 2021-06-17 - 11:41 | almost 5 years |
| 2.2.10 | MIT | 7 | 2021-05-27 - 10:10 | almost 5 years |
| 2.2.9 | MIT | 7 | 2021-05-20 - 13:49 | almost 5 years |
| 2.2.8 | MIT | 7 | 2021-05-11 - 13:55 | almost 5 years |
| 2.2.7 | MIT | 7 | 2021-03-30 - 17:48 | about 5 years |
| 2.2.6 | MIT | 7 | 2021-03-23 - 10:24 | about 5 years |
| 2.2.5 | MIT | 7 | 2021-02-25 - 16:14 | about 5 years |
| 2.2.4 | MIT | 7 | 2021-02-04 - 15:43 | about 5 years |
| 2.2.3 | MIT | 7 | 2020-12-18 - 09:33 | over 5 years |
| 2.2.2 | MIT | 7 | 2020-11-26 - 13:45 | over 5 years |
| 2.2.1 | MIT | 7 | 2020-11-04 - 10:47 | over 5 years |
| 2.2.0 | MIT | 7 | 2020-10-28 - 16:59 | over 5 years |
| 2.2.0-RC1 | MIT | 6 | 2020-10-07 - 14:31 | over 5 years |
| 2.1.14 | MIT | 6 | 2021-05-26 - 10:28 | almost 5 years |
| 2.1.13 | MIT | 6 | 2021-05-20 - 13:28 | almost 5 years |
| 2.1.12 | MIT | 6 | 2021-05-11 - 13:11 | almost 5 years |
| 2.1.11 | MIT | 6 | 2021-03-30 - 15:58 | about 5 years |
| 2.1.10 | MIT | 6 | 2021-03-22 - 19:02 | about 5 years |
| 2.1.9 | MIT | 6 | 2021-02-25 - 16:09 | about 5 years |
| 2.1.8 | MIT | 6 | 2021-02-04 - 15:30 | about 5 years |
| 2.1.7 | MIT | 6 | 2020-12-18 - 08:56 | over 5 years |
| 2.1.6 | MIT | 6 | 2020-11-26 - 12:56 | over 5 years |
| 2.1.5 | MIT | 6 | 2020-11-04 - 08:02 | over 5 years |
| 2.1.4 | MIT | 6 | 2020-11-02 - 15:26 | over 5 years |
| 2.1.3 | MIT | 6 | 2020-10-28 - 10:43 | over 5 years |
| 2.1.2 | MIT | 6 | 2020-08-26 - 09:07 | over 5 years |
| 2.1.1 | MIT | 6 | 2020-07-30 - 12:20 | over 5 years |