CVE-2024-27915

Published: Mar 6, 2024Modified: Jan 8, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.

Affected (2)

Products: Sulu: Sulu

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Sulu Sulu	From 2.2.0 to 2.4.17
Sulu Sulu	From 2.5.0 to 2.5.13

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da

Source: security-advisories@github.com

Patch

https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p

Source: security-advisories@github.com

MitigationVendor Advisory

https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.