Vulnerability Details : CVE-2021-41169
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-41169
- cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41169
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41169
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
|
4.8
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
1.7
|
2.7
|
NIST | |
|
6.2
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N |
1.7
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2021-41169
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-41169
-
https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445
Merge pull request from GHSA-h58v-g3q6-q9fx · sulu/sulu@20007ac · GitHubPatch;Third Party Advisory
-
https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx
XSS injection in Tag autocomplete was possible · Advisory · sulu/sulu · GitHubThird Party Advisory
Jump to