Privilege escalation in the Sulu Admin panel
Description
Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched in 2.2.18, 2.3.8 and 2.4.0. For users unable to upgrade the only known workaround is to apply a patch to the ProfileController manually.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sulu/suluPackagist | >= 2.0.0, < 2.2.18 | 2.2.18 |
sulu/suluPackagist | >= 2.3.0, < 2.3.8 | 2.3.8 |
sulu/suluPackagist | >= 2.4.0-RC1, < 2.4.0 | 2.4.0 |
Affected products
1Patches
130bf8b5a4f83Merge pull request from GHSA-84px-q68r-2fc9
2 files changed · +41 −1
src/Sulu/Bundle/SecurityBundle/Controller/ProfileController.php+17 −1 modified@@ -118,7 +118,7 @@ public function putAction(Request $request) { $this->checkArguments($request); $user = $this->tokenStorage->getToken()->getUser(); - $this->userManager->save($request->request->all(), $request->get('locale'), $user->getId(), true); + $this->userManager->save($this->getData($request), $request->get('locale'), $user->getId(), true); $user->setFirstName($request->get('firstName')); $user->setLastName($request->get('lastName')); @@ -231,4 +231,20 @@ private function checkArguments(Request $request) throw new MissingArgumentException($this->userClass, 'locale'); } } + + /** + * @return array<string, mixed> + */ + protected function getData(Request $request): array + { + $data = []; + + foreach ($request->request->all() as $key => $value) { + if (\in_array($key, ['firstName', 'lastName', 'username', 'email', 'password', 'locale'], true)) { + $data[$key] = $value; + } + } + + return $data; + } }
src/Sulu/Bundle/SecurityBundle/Tests/Functional/Controller/ProfileControllerTest.php+24 −0 modified@@ -87,6 +87,30 @@ public function testPut() $this->assertEquals('de', $response->locale); } + public function testPutInvalidField() + { + $this->client->jsonRequest( + 'PUT', + '/api/profile', + [ + 'firstName' => 'Hans', + 'lastName' => 'Mustermann', + 'username' => 'hansi', + 'email' => 'hans.mustermann@muster.at', + 'password' => 'testpassword', + 'locale' => 'de', + ] + ); + + $response = \json_decode($this->client->getResponse()->getContent()); + $this->assertHttpStatusCode(200, $this->client->getResponse()); + $this->assertEquals('Hans', $response->firstName); + $this->assertEquals('Mustermann', $response->lastName); + $this->assertEquals('hansi', $response->username); + $this->assertEquals('hans.mustermann@muster.at', $response->email); + $this->assertEquals('de', $response->locale); + } + public function testPutEmailNotUnique() { $existingContact = new Contact();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-84px-q68r-2fc9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43835ghsaADVISORY
- github.com/sulu/sulu/commit/30bf8b5a4f83b6f2171a696011757d095edaa28aghsax_refsource_MISCWEB
- github.com/sulu/sulu/security/advisories/GHSA-84px-q68r-2fc9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.