CVE-2024-47618
📋 TL;DR
Sulu CMS versions before 2.6.5 contain a cross-site scripting (XSS) vulnerability where low-privileged users with Media section access can upload malicious SVG files. When other users (including administrators) view these files, malicious JavaScript executes in their browsers. This affects all Sulu installations with user accounts and media upload functionality.
💻 Affected Systems
- Sulu CMS
📦 What is this software?
Sulu by Sulu
Sulu by Sulu
Sulu by Sulu
Sulu by Sulu
Sulu by Sulu
⚠️ Risk & Real-World Impact
Worst Case
Administrator accounts compromised leading to full system takeover, data theft, or ransomware deployment through browser-based attacks.
Likely Case
Session hijacking, credential theft, or privilege escalation as attackers target other users through malicious media files.
If Mitigated
Limited impact with proper user privilege separation and content security policies in place.
🎯 Exploit Status
Exploitation requires authenticated user with media upload privileges. SVG file upload with embedded JavaScript is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.5
Vendor Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44
Restart Required: Yes
Instructions:
1. Backup your Sulu installation and database. 2. Update Sulu to version 2.6.5 via composer: 'composer require sulu/sulu:^2.6.5'. 3. Clear cache: 'bin/console cache:clear'. 4. Restart your web server.
🔧 Temporary Workarounds
Restrict SVG uploads
allBlock SVG file uploads through web server configuration or application firewall
# Apache: Add to .htaccess
<FilesMatch "\.svg$">
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~*\.svg$ {
deny all;
}
Implement Content Security Policy
allAdd CSP headers to prevent inline script execution
# Add to web server configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
# Or in PHP
header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Remove media upload permissions from all non-admin users
- Implement strict file type validation rejecting SVG files at application level
🔍 How to Verify
Check if Vulnerable:
Check Sulu version via composer: 'composer show sulu/sulu | grep versions'. If version is below 2.6.5, system is vulnerable.Check Version:
composer show sulu/sulu | grep versionsVerify Fix Applied:
After update, verify version is 2.6.5+ and test SVG upload with script tags - should be blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads from user accounts
- Multiple failed SVG upload attempts
- Admin account accessing suspicious media files
Network Indicators:
- POST requests to media upload endpoints with SVG content
- Unusual outbound connections from admin sessions
SIEM Query:
source="web_logs" AND (uri_path="/admin/media" OR uri_path="/media") AND (file_extension="svg" OR content_type="image/svg+xml")