QwikSec

Security Database

CVE

CWE

Training

CVE-2025-47778

Published: May 14, 2025

Modified: May 14, 2025

PUBLISHED

Description

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually.

Vendor	Product	Versions
sulu	sulu	affected `>= 2.5.21, < 2.5.25` affected `>= 2.6.5, < 2.6.9` affected `>= 3.0.0-alpha1, < 3.0.0-alpha3`

Weaknesses (CWE)

References

https://github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255

x_refsource_CONFIRM

https://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544

x_refsource_MISC

https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.