Description
Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.
References (2)
Core 2
Core References
Mitigation, Vendor Advisory x_refsource_confirm
https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p
Patch x_refsource_misc
https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da
Scores
CVSS v3
6.8
EPSS
0.0015
EPSS Percentile
35.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (2)
sulu/sulu
2.2.0 - 2.4.17
sulu/sulu
2.2.0 - 2.4.17Packagist
Published
Mar 06, 2024
Tracked Since
Feb 18, 2026