CVE-2024-24807
Sulu HTML Injection via Autocomplete Suggestion
Description
### Impact It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form. Only admin users are affected and only admin users can create tags. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The problem is patched with Version 2.4.16 and 2.5.12. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Create a custom mutation observer ### References _Are there any links users can visit to find out more?_ Currently not. ### For more information _If you have any questions or comments about this advisory:_ - Open an issue in [sulu/sulu repository](https://github.com/sulu/sulu/issues) - Email us at [[email protected]](mailto:[email protected])
How to fix CVE-2024-24807
To remediate CVE-2024-24807, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.16 or later
Is CVE-2024-24807 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.0.0, < 2.4.16