CVE-2021-32737 - OpenCVE

Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sulu	Sulu

Configuration 1 [-]

cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/sulu/sulu/releases/tag/1.6.41
https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-07-02T17:55:09

Updated: 2024-08-03T23:33:55.802Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32737

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-07-02T18:15:09.603

Modified: 2021-07-09T14:37:16.060

Link: CVE-2021-32737

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "sulu", "vendor": "sulu", "versions": [{"status": "affected", "version": "< 1.6.41"}]}], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-02T17:55:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/sulu/sulu/releases/tag/1.6.41"}], "source": {"advisory": "GHSA-gm2x-6475-g9r8", "discovery": "UNKNOWN"}, "title": "XSS Injection in Media Collection Title was possible", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32737", "STATE": "PUBLIC", "TITLE": "XSS Injection in Media Collection Title was possible"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "sulu", "version": {"version_data": [{"version_value": "< 1.6.41"}]}}]}, "vendor_name": "sulu"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8", "refsource": "CONFIRM", "url": "https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8"}, {"name": "https://github.com/sulu/sulu/releases/tag/1.6.41", "refsource": "MISC", "url": "https://github.com/sulu/sulu/releases/tag/1.6.41"}]}, "source": {"advisory": "GHSA-gm2x-6475-g9r8", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:55.802Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sulu/sulu/releases/tag/1.6.41"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32737", "datePublished": "2021-07-02T17:55:09", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:55.802Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "matchCriteriaId": "90800C58-EEBC-4655-9A8E-5BAF98D83821", "versionEndExcluding": "1.6.41", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating."}, {"lang": "es", "value": "Sulu es un sistema de administraci\u00f3n de contenidos PHP de c\u00f3digo abierto basado en el framework Symfony. En las versiones de Sulu anteriores a 1.6.41, es posible para un usuario administrador conectado a\u00f1adir una inyecci\u00f3n de script (cross-site-scripting) en el t\u00edtulo de la colecci\u00f3n. El problema est\u00e1 parcheado en la versi\u00f3n 1.6.41. Como soluci\u00f3n alternativa, se puede parchear manualmente los archivos JavaScript afectados en lugar de actualizarlos"}], "id": "CVE-2021-32737", "lastModified": "2021-07-09T14:37:16.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-07-02T18:15:09.603", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/sulu/sulu/releases/tag/1.6.41"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}