CVE-2024-37156

Name of the Vulnerable Software and Affected Versions SuluFormBundle versions prior to 2.5.3

Description The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field, which leads to XSS.

Recommendations For versions prior to 2.5.3, update to version 2.5.3 to fix the vulnerability. As a temporary workaround, consider creating a custom Symfony Request listener that checks for the get value of form for the TokenController and stops the request dispatching, returning an error status code if the value is not valid.