CVE-2024-27915: 
PHP vulnerability analysis and mitigation

A security vulnerability (CVE-2024-27915) was identified in Sulu, a PHP content management system, affecting versions from 2.2.0 up to versions 2.4.17 and 2.5.13. The vulnerability allows access to pages regardless of role permissions in webspaces that have a security system configured and permission check enabled (GitHub Advisory, NVD).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863). It has received a CVSS v3.1 base score of 8.1 (HIGH) from NIST with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, while GitHub assessed it with a score of 6.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability affects webspaces with configured security systems and enabled permission checks, allowing unauthorized access to pages that should be restricted by role permissions. This could potentially lead to unauthorized users accessing sensitive content (GitHub Advisory).

The vulnerability has been patched in Sulu versions 2.4.17 and 2.5.13. For users unable to upgrade immediately, two workarounds are available: either remove specific lines from vendor/symfony/security-http/HttpUtils.php or avoid installing symfony/security-http versions greater than or equal to v5.4.30 or v6.3.6 (GitHub Advisory).