4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32737

GHSA ID

GHSA-gm2x-6475-g9r8

EPSS Score

0.57477%

CWE

CWE-79

Published

7/2/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32737

CVE-2021-32737: XSS Injection in Media Collection Title was possible

Impact

A logged in admin user was possible to add a script injection (XSS) in the collection title which was executed.

Workarounds

Manual patching the js files.

For more information

If you have any questions or comments about this advisory:'

Email us at security@sulu.io

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32737

GHSA ID

GHSA-gm2x-6475-g9r8

EPSS Score

0.57477%

CWE

CWE-79

Published

7/2/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sulu/sulu	composer	< 1.6.41	1.6.41

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability involves XSS in collection titles executed client-side. The workaround mentions patching JS files, indicating the flaw exists in frontend rendering logic. The most probable cause is unsafe DOM manipulation (e.g., using innerHTML) when displaying collection titles. While exact function names aren't visible in provided resources, the pattern matches common XSS vectors in JavaScript view components handling unescaped user-controlled data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * lo**** in **min us*r w*s possi*l* to *** * s*ript inj**tion (XSS) in t** *oll**tion titl* w*i** w*s *x**ut**. ### Work*roun*s M*nu*l p*t**in* t** js *il*s. ### *or mor* in*orm*tion I* you **v* *ny qu*stions or *omm*nts **out t*is **

Reasoning

T** vuln*r**ility involv*s XSS in *oll**tion titl*s *x**ut** *li*nt-si**. T** work*roun* m*ntions p*t**in* `JS` *il*s, in*i**tin* t** *l*w *xists in *ront*n* r*n**rin* lo*i*. T** most pro***l* **us* is uns*** *OM m*nipul*tion (*.*., usin* `inn*r*TML`

4.8

Basic Information

Concerned about an active attack path?

CVE-2021-32737: XSS Injection in Media Collection Title was possible

Impact

Workarounds

For more information

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI