PT-2025-21177 · Sulu · Sulu
Published
2025-05-14
·
Updated
2025-05-15
·
CVE-2025-47778
CVSS v4.0
6.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Sulu versions 2.5.21 through 2.5.24
Sulu versions 2.6.5 through 2.6.8
Sulu versions 3.0.0-alpha1 through 3.0.0-alpha2
Description:
Sulu is an open-source PHP content management system based on the Symfony framework. The issue allows an admin user to upload SVG files, which may load external data via the XML DOM library, potentially leading to insecure XML External Entity References.
Recommendations:
For versions 2.5.21 through 2.5.24, update to version 2.5.25 or later.
For versions 2.6.5 through 2.6.8, update to version 2.6.9 or later.
For versions 3.0.0-alpha1 through 3.0.0-alpha2, update to version 3.0.0-alpha3 or later.
As a temporary workaround, one may manually patch the effect file
src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php.Exploit
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sulu