CVE-2021-43836

Name of the Vulnerable Software and Affected Versions: Sulu versions prior to 1.6.44 Sulu versions prior to 2.2.18 Sulu versions prior to 2.3.8 Sulu version prior to 2.4.0

Description: Sulu is an open-source PHP content management system based on the Symfony framework. An attacker can read arbitrary local files via a PHP file include. In a default configuration, this also leads to remote code execution. The compromised components include arbitrary file read on the server and potential remote code execution. Exploitation requires a user account on the backend.

Recommendations: For versions prior to 1.6.44, update to version 1.6.44 or later. For versions prior to 2.2.18, update to version 2.2.18 or later. For versions prior to 2.3.8, update to version 2.3.8 or later. For version prior to 2.4.0, update to version 2.4.0 or later. As a temporary workaround for users unable to upgrade, overwrite the service sulu route.generator.expression token provider and wrap the translator before passing it to the expression language.