CVE-2024-37156
MEDIUMSuluFormBundle 2.0.0-2.5.2 - Cross-Site Scripting via TokenController formName Parameter
Title source: llmDescription
The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3
Scores
CVSS v3
6.1
EPSS
0.0029
EPSS Percentile
20.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-80
CWE-79
Status
published
Products (2)
sulu/form-bundle
2.0.0 - 2.5.3Packagist
sulu/suluformbundle
2.0.0 - 2.5.3
Published
Jun 06, 2024
Tracked Since
Feb 18, 2026