CVE-2024-37156

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-37156

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-37156.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-37156

Aliases

GHSA-rrvc-c7xg-7cf3

Published

2024-06-06T16:03:46Z

Modified

2025-10-30T20:26:43.179941Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

TokenController formName not sanitized in hidden input

Details

The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3.

Database specific

{
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ]
}

References

Affected packages

Git / github.com/sulu/suluformbundle

Affected ranges

Type: GIT
Repo: https://github.com/sulu/suluformbundle
Events: Introduced

810ad0c6814d42179ed9e4ac72468cc52b473c9b

Fixed

572776c115da6a7e8330e9f312645ddbb70afdc5

Affected versions

1.*

1.2.0

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.1.3

2.2.0

2.2.1

2.3.0

2.4.0

2.5.0

2.5.1

2.5.2