Filtered by vendor Sulu
Subscribe
Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43835 | 1 Sulu | 1 Sulu | 2021-12-21 | 6.5 MEDIUM | 7.2 HIGH |
| Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched in 2.2.18, 2.3.8 and 2.4.0. For users unable to upgrade the only known workaround is to apply a patch to the ProfileController manually. | |||||
| CVE-2021-43836 | 1 Sulu | 1 Sulu | 2021-12-20 | 6.5 MEDIUM | 8.8 HIGH |
| Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language. | |||||
| CVE-2021-41169 | 1 Sulu | 1 Sulu | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade. | |||||
| CVE-2021-32737 | 1 Sulu | 1 Sulu | 2021-07-09 | 3.5 LOW | 4.8 MEDIUM |
| Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating. | |||||
| CVE-2020-15132 | 1 Sulu | 1 Sulu | 2020-08-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the "Forgot Password" request returns the email address to which the email was sent, if the operation was successful. This information should not be exposed, as it can be used to gather email addresses. This problem was fixed in versions 1.6.35, 2.0.10 and 2.1.1. | |||||
| CVE-2017-1000465 | 1 Sulu | 1 Sulu-standard | 2018-02-01 | 3.5 LOW | 5.4 MEDIUM |
| Sulu-standard version 1.6.6 is vulnerable to stored cross-site scripting vulnerability, within the page creation page, which can result in disruption of service and execution of javascript code. | |||||