CVE-2024-27915

Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*
cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*

History

08 Jan 2025, 18:37

Type Values Removed Values Added
CPE cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*
References () https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da - () https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da - Patch
References () https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p - () https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p - Mitigation, Vendor Advisory
First Time Sulu
Sulu sulu

Information

Published : 2024-03-06 20:15

Updated : 2025-01-08 18:37


NVD link : CVE-2024-27915

Mitre link : CVE-2024-27915

CVE.ORG link : CVE-2024-27915


JSON object : View

Products Affected

sulu

  • sulu
CWE
CWE-863

Incorrect Authorization