Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Sulu - CVE-2021-41169
Published: October 21, 2021 / Updated: May 12, 2026
Vulnerability identifier: #VU131112
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-41169
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sulu GmbH
Affected software:
Sulu
Sulu
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in an administrator's browser.
The vulnerability exists due to improper neutralization of script-related html tags in the tag autocomplete feature when listing tag names in the auto complete form. A remote user can create a tag with crafted html content to execute arbitrary script in an administrator's browser.
Only administrator users can create tags, and the issue is triggered when the crafted tag name is displayed by the autocomplete functionality.
How to mitigate CVE-2021-41169
Install security update from vendor's website.