CVE-2024-47617: Injection of arbitrary HTML/JavaScript code through the media download URL
(updated )
This vulnerability allows an attacker to inject arbitrary HTML/JavaScript code through the media download URL in Sulu CMS. It affects the SuluMediaBundle component. The vulnerability is a Reflected Cross-Site Scripting (XSS) issue, which could potentially allow attackers to steal sensitive information, manipulate the website’s content, or perform actions on behalf of the victim.
References
- github.com/advisories/GHSA-6784-9c82-vr85
- github.com/sulu/sulu
- github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php
- github.com/sulu/sulu/commit/a5a5ae555d282e88ff8559d38cfb46dea7939bda
- github.com/sulu/sulu/commit/eeacd14b6cf55f710084788140d40ebb00314b29
- github.com/sulu/sulu/security/advisories/GHSA-6784-9c82-vr85
- nvd.nist.gov/vuln/detail/CVE-2024-47617
Detect and mitigate CVE-2024-47617 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →