CVE-2024-27915

Published: Mar 6, 2024

Modified: Apr 16, 2025

PUBLISHED

CVSS v3.1

6.8

MEDIUM

Description

Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.

Vendor	Product	Versions
sulu	sulu	affected `>= 2.2.0, < 2.4.17` affected `>= 2.5.0-alpha1, < 2.5.13`

Weaknesses (CWE)

CWE-863

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p

x_refsource_CONFIRM

https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-27915

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References