CVE-2024-27915: Sulu grants access to pages regardless of role permissions

6.8 CVSS

Description

Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.

Classification

CVE ID: CVE-2024-27915

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.8

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem Types

CWE-863: Incorrect Authorization

Affected Products

Vendor: sulu

Product: sulu

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 26.71% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-27915
https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p
https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da

Timeline

2025-04-16 16:40:22 UTC
CVE

Sulu grants access to pages regardless of role permissions