Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Sulu - CVE-2024-24807
Published: February 5, 2024 / Updated: May 12, 2026
Vulnerability identifier: #VU131119
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-24807
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sulu GmbH
Affected software:
Sulu
Sulu
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in an administrator's browser.
The vulnerability exists due to improper neutralization of script-related html tags in the autocomplete suggestion feature when listing tag names in the auto complete form. A remote user can create a tag with crafted html content to execute arbitrary script in an administrator's browser.
Only administrative users can create tags, and the issue is triggered when the crafted tag name is shown in autocomplete suggestions.
How to mitigate CVE-2024-24807
Install security update from vendor's website.