CVE-2024-47617

Name of the Vulnerable Software and Affected Versions Sulu versions prior to 2.6.5 Sulu versions prior to 2.5.21

Description This issue allows an attacker to inject arbitrary HTML/JavaScript code through the media download URL in Sulu CMS, affecting the SuluMediaBundle component. It is a Reflected Cross-Site Scripting (XSS) issue, which could potentially allow attackers to steal sensitive information, manipulate the website's content, or perform actions on behalf of the victim.

Recommendations For versions prior to 2.6.5, update to version 2.6.5 or later. For versions prior to 2.5.21, update to version 2.5.21 or later. As a temporary workaround, consider implementing additional input validation and output encoding for the slug parameter in the MediaStreamController's downloadAction method. Alternatively, configuring a Web Application Firewall (WAF) to filter potentially malicious input could serve as a temporary mitigation.