Picturestone

**Name of the Vulnerable Software and Affected Versions** SuluFormBundle versions prior to 2.5.3 **Description** The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter `formName` is not sanitized in the returned input field, which leads to XSS. **Recommendations** For versions prior to 2.5.3, update to version 2.5.3 to fix the vulnerability. As a temporary workaround, consider creating a custom Symfony Request listener that checks for the get value of `form` for the TokenController and stops the request dispatching, returning an error status code if the value is not valid.