CVE-2021-43835

Name of the Vulnerable Software and Affected Versions: Sulu versions 2.0.0-RC1 through 2.2.17 Sulu versions 2.3.0 through 2.3.7 Sulu versions 2.4.0 before the patch

Description: Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions, Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API, it was possible for them to give themselves permissions to areas which they did not already have. This issue was introduced with the new ProfileController putAction. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations: For Sulu versions 2.0.0-RC1 through 2.2.17, update to version 2.2.18 or later. For Sulu versions 2.3.0 through 2.3.7, update to version 2.3.8 or later. For Sulu version 2.4.0, apply the patch to the ProfileController manually until a patched version is available. As a temporary workaround, consider patching the ProfileController of affected Sulu versions by overwriting it.