Alexander Schranz

5 exploits Active since Feb 2021
CVE-2021-26540 WRITEUP MEDIUM WRITEUP
Apostrophe Technologies sanitize-html <2.3.2 - Open Redirect
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".
CVSS 5.3
CVE-2021-41169 WRITEUP MEDIUM WRITEUP
Sulu < 1.6.43 - Authenticated Stored Cross-Site Scripting in Tag Name Input
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
CVSS 6.2
CVE-2023-39343 WRITEUP MEDIUM WRITEUP
Sulu 2.5.0-2.5.9 - Observable Response Discrepancy via Admin Login Form
Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10.
CVSS 4.3
CVE-2024-27915 WRITEUP MEDIUM WRITEUP
Sulu 2.2.0-2.4.16 and 2.5.0-2.5.12 - Incorrect Authorization in Webspace Security System
Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.
CVSS 6.8
CVE-2025-47778 WRITEUP MEDIUM WRITEUP
Sulu 2.5.21-2.5.24, 2.6.5-2.6.8, 3.0.0-alpha1-3.0.0-alpha2 - XML External Entity Injection via SVG Upload
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually.