CVE-2024-27915

Name of the Vulnerable Software and Affected Versions Sulu versions 2.2.0 through 2.4.16 Sulu versions 2.5.0 through 2.5.12

Description The issue concerns a PHP content management system where access to pages is granted regardless of role permissions for webspaces with a security system configured and permission check enabled. Webspaces without this configuration do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13.

Recommendations For Sulu versions 2.2.0 through 2.4.16, update to version 2.4.17. For Sulu versions 2.5.0 through 2.5.12, update to version 2.5.13. As a temporary workaround, consider manually applying the patch to vendor/symfony/security-http/HttpUtils.php or avoid installing symfony/security-http versions greater than or equal to v5.4.30 or v6.3.6. Alternatively, remove the following lines from vendor/symfony/security-http/HttpUtils.php:

      // Shortcut if request has already been matched before
      if ($request->attributes->has(' route')) {
        return $path === $request->attributes->get(' route');
      }