CVE-2021-43835 HIGH

CVE-2021-43835: Privilege escalation in the Sulu Admin panel

Vendor Sulu

Product sulu

Weakness CWE-269

Published December 15, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched in 2.2.18, 2.3.8 and 2.4.0. For users unable to upgrade the only known workaround is to apply a patch to the ProfileController manually.

Key dates

02Disclosure timeline

December 15, 2021 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-43835 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/269.html

Related vulnerabilities

Identifiers

CVE CVE-2021-43835

CWE CWE-269

CVSS 7.2 / HIGH

Affected versions

Vendor Sulu

Product sulu

Affected >= 2.0.0, < 2.2.18

Vendor Sulu

Product sulu

Affected >= 2.3.0, < 2.3.8

CVE-2021-43835: Privilege escalation in the Sulu Admin panel

01Description

02Disclosure timeline

03References

04Related CVE