CVE-2023-39343

Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b	Patch
https://github.com/sulu/sulu/releases/tag/2.5.10	Release Notes
https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-08-04 01:15

Updated : 2023-08-08 18:55

NVD link : CVE-2023-39343

Mitre link : CVE-2023-39343

CVE.ORG link : CVE-2023-39343

JSON object : View

Products Affected

sulu

sulu

CWE

CWE-204

Observable Response Discrepancy

{"id": "CVE-2023-39343", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-08-04T01:15:10.250", "references": [{"url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sulu/sulu/releases/tag/2.5.10", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-204"}]}], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10. \n\n"}], "lastModified": "2023-08-08T18:55:13.367", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A840F85F-B8DC-41C1-81BE-691995D30ADF", "versionEndExcluding": "2.5.10", "versionStartIncluding": "2.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}