Low severityNVD Advisory· Published Feb 5, 2024· Updated Aug 1, 2024
Sulu is vulnerable to HTML Injection via Autocomplete Suggestion
CVE-2024-24807
Description
Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sulu/suluPackagist | >= 2.0.0, < 2.4.16 | 2.4.16 |
sulu/suluPackagist | >= 2.5.0, < 2.5.12 | 2.5.12 |
Affected products
1Patches
1570c78124ae9Merge pull request from GHSA-gfrh-gwqc-63cv
1 file changed · +10 −5
src/Sulu/Bundle/AdminBundle/Resources/js/components/AutoCompletePopover/Suggestion.js+10 −5 modified@@ -37,12 +37,17 @@ export default class Suggestion extends React.PureComponent<Props> { matcher = this.props.query; } - // $FlowFixMe: flow does not recognize the replaceAll method: https://github.com/facebook/flow/issues/560 - const highlightedText = text.replaceAll(matcher, '<strong>$&</strong>'); + const splittedText = text.split(matcher); + const highlightedWords = text.match(matcher); - return ( - <span dangerouslySetInnerHTML={{__html: highlightedText}} /> - ); + return (<span> + {splittedText.map((splitText, index) => { + return <> + {splitText} + {highlightedWords && highlightedWords[index] ? <strong>{highlightedWords[index]}</strong> : null} + </> + })} + </span>); }; handleClick = () => {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-gfrh-gwqc-63cvghsaADVISORY
- github.com/sulu/sulu/commit/570c78124ae97cb02469141b86ac69d9fb2cb147ghsaWEB
- github.com/sulu/sulu/releases/tag/2.4.16mitrex_refsource_MISC
- github.com/sulu/sulu/releases/tag/2.5.12mitrex_refsource_MISC
- github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.