CVE-2021-43835: 
PHP vulnerability analysis and mitigation

Sulu, an open-source PHP content management system based on the Symfony framework, was affected by a privilege escalation vulnerability (CVE-2021-43835). The vulnerability was discovered in versions 2.0.0-RC1 through 2.2.17, 2.3.0-RC through 2.3.7, and 2.4.0-RC1. Users with access to any subset of the admin UI could elevate their privileges through the API, allowing them to grant themselves permissions to areas they did not previously have access to (GitHub Advisory).

The vulnerability was introduced in version 2.0.0-RC1 with the implementation of the new ProfileController putAction. The issue stemmed from improper validation of user permissions in the ProfileController, which allowed authenticated users to manipulate their access rights through API requests. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability only affected users who already had access to the admin UI. However, these users could exploit the vulnerability to grant themselves unauthorized permissions to restricted areas of the system, effectively bypassing the intended access control mechanisms (GitHub Advisory).

The vulnerability has been patched in versions 2.2.18, 2.3.8, and 2.4.0. For users unable to upgrade, the only known workaround is to manually patch the ProfileController. The fix involves implementing proper validation of user permissions and restricting the data that can be modified through the API (GitHub Advisory, GitHub Patch).