4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-24807

GHSA ID

GHSA-gfrh-gwqc-63cv

EPSS Score

0.73692%

CWE

CWE-79

Published

2/5/2024

Updated

2/5/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24807

CVE-2024-24807: Sulu HTML Injection via Autocomplete Suggestion

Impact

It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form. Only admin users are affected and only admin users can create tags.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with Version 2.4.16 and 2.5.12.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Create a custom mutation observer

References

Are there any links users can visit to find out more?

Currently not.

For more information

If you have any questions or comments about this advisory:

Open an issue in sulu/sulu repository
Email us at security@sulu.io

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-24807

CVE-2024-24807:

4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-24807

GHSA ID

GHSA-gfrh-gwqc-63cv

EPSS Score

0.73692%

CWE

CWE-79

Published

2/5/2024

Updated

2/5/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sulu/sulu	composer	>= 2.0.0, < 2.4.16	2.4.16
sulu/sulu	composer	>= 2.5.0, < 2.5.12	2.5.12

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the combination of: 1) User-controlled input (tag names) being directly inserted into HTML via replaceAll, and 2) Use of React's dangerouslySetInnerHTML which bypasses XSS protections. The patch replaces this dangerous pattern with safe React element composition. The pre-patch code clearly shows the vulnerable pattern in the highlightedText generation and rendering logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-24807: Sulu HTML Injection via Autocomplete Suggestion

Impact

Patches

Workarounds

References

For more information

CVE-2024-24807:

4.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2024-24807: Sulu HTML Injection via Autocomplete Suggestion

Impact

Patches

Workarounds

References

For more information

4.8

4.8

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI