SB2024100360 - Multiple vulnerabilities in Sulu

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2024-47617)

The vulnerability allows a remote attacker to inject arbitrary HTML/JavaScript code.

The vulnerability exists due to cross-site scripting in the SuluMediaBundle MediaStreamController downloadAction method when processing the media download URL slug parameter. A remote attacker can send a specially crafted media download URL to inject arbitrary HTML/JavaScript code.

User interaction is required to trigger the reflected cross-site scripting issue.

2) Cross-site scripting (CVE-ID: CVE-2024-47618)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the Media section when processing uploaded SVG files. A remote user can upload a crafted SVG file to execute arbitrary script in a victim's browser.

User interaction is required to access the uploaded SVG file, and the issue can affect other users including administrators.

Remediation

Install update from vendor's website.

References

• https://github.com/sulu/sulu/security/advisories/GHSA-6784-9c82-vr85
• https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php#L106
• https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44