CVE-2021-41169 - Vulnerability Details - OpenCVE

Description

Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.

Published: 2021-10-21

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

sulu

sulu

affected

Version	Status	Constraints
`< 1.6.43`	affected	—

Configuration 1 [-]

cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-2208	Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
Github GHSA	GHSA-h58v-g3q6-q9fx	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in sulu/sulu

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00286.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445
https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx

History

No history.

Subscriptions

Sulu Sulu

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-21T20:25:10.000Z

Updated: 2024-08-04T02:59:31.756Z

Reserved: 2021-09-15T00:00:00.000Z

Link: CVE-2021-41169

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-10-21T21:15:08.303

Modified: 2024-11-21T06:25:39.590

Link: CVE-2021-41169

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "sulu", "vendor": "sulu", "versions": [{"status": "affected", "version": "< 1.6.43"}]}], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-21T20:25:10.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445"}], "source": {"advisory": "GHSA-h58v-g3q6-q9fx", "discovery": "UNKNOWN"}, "title": "Improper Neutralization HTML tags in sulu/sulu", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41169", "STATE": "PUBLIC", "TITLE": "Improper Neutralization HTML tags in sulu/sulu"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "sulu", "version": {"version_data": [{"version_value": "< 1.6.43"}]}}]}, "vendor_name": "sulu"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx", "refsource": "CONFIRM", "url": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx"}, {"name": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445", "refsource": "MISC", "url": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445"}]}, "source": {"advisory": "GHSA-h58v-g3q6-q9fx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:59:31.756Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41169", "datePublished": "2021-10-21T20:25:10.000Z", "dateReserved": "2021-09-15T00:00:00.000Z", "dateUpdated": "2024-08-04T02:59:31.756Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4D351AF-03E0-4B53-A95D-8F70BBC17799", "versionEndExcluding": "1.6.43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade."}, {"lang": "es", "value": "Sulu es un sistema de administraci\u00f3n de contenidos PHP de c\u00f3digo abierto basado en el framework Symfony. En versiones anteriores a 1.6.43, est\u00e1 sujeto a ataques de tipo cross site scripting almacenados. La entrada de HTML en los nombres de las etiquetas no est\u00e1 saneada apropiadamente. S\u00f3lo usuarios administradores pueden crear etiquetas. Se aconseja a los usuarios que actualicen"}], "id": "CVE-2021-41169", "lastModified": "2024-11-21T06:25:39.590", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-21T21:15:08.303", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}