4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-24807

GHSA ID

GHSA-gfrh-gwqc-63cv

EPSS Score

0.73692%

CWE

CWE-79

Published

2/5/2024

Updated

2/5/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24807

CVE-2024-24807: Sulu HTML Injection via Autocomplete Suggestion

Impact

It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form. Only admin users are affected and only admin users can create tags.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with Version 2.4.16 and 2.5.12.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Create a custom mutation observer

References

Are there any links users can visit to find out more?

Currently not.

For more information

If you have any questions or comments about this advisory:

Open an issue in sulu/sulu repository
Email us at security@sulu.io

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-24807

GHSA ID

GHSA-gfrh-gwqc-63cv

EPSS Score

0.73692%

CWE

CWE-79

Published

2/5/2024

Updated

2/5/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sulu/sulu	composer	>= 2.0.0, < 2.4.16	2.4.16
sulu/sulu	composer	>= 2.5.0, < 2.5.12	2.5.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the combination of: 1) User-controlled input (tag names) being directly inserted into HTML via replaceAll, and 2) Use of React's dangerouslySetInnerHTML which bypasses XSS protections. The patch replaces this dangerous pattern with safe React element composition. The pre-patch code clearly shows the vulnerable pattern in the highlightedText generation and rendering logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is *n issu* w**n input *TML into t** T** n*m*. T** *TML is *x**ut* w**n t** t** n*m* is list** in t** *uto *ompl*t* *orm. Only **min us*rs *r* *****t** *n* only **min us*rs **n *r**t* t**s. ### P*t***s _**s t** pro*l*m ***n p*t****?

Reasoning

T** vuln*r**ility st*ms *rom t** *om*in*tion o*: *) `Us*r`-*ontroll** input (t** n*m*s) **in* *ir**tly ins*rt** into *TML vi* `r*pl****ll`, *n* *) Us* o* `R***t`'s `**n**rouslyS*tInn*r*TML` w*i** *yp*ss*s XSS prot**tions. T** p*t** r*pl***s t*is **n*

4.8

Basic Information

Concerned about an active attack path?

CVE-2024-24807: Sulu HTML Injection via Autocomplete Suggestion

Impact

Patches

Workarounds

References

For more information

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI