SCA: security update for sulu/sulu (GHSA-wfm4-pq59-wg6r)

medium Tenable Self-Hosted Container Security Plugin ID 419902

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen
is used, Sulu asks the user for a username or email address. If the given string is not found, a response
with a `400` error code is returned, along with a error message saying that this user name does not exist.
This enables attackers to retrieve valid usernames. Also, the response of the "Forgot Password" request
returns the email address to which the email was sent, if the operation was successful. This information
should not be exposed, as it can be used to gather email addresses. This problem was fixed in versions
1.6.35, 2.0.10 and 2.1.1. (CVE-2020-15132)

See Also

https://github.com/advisories/GHSA-wfm4-pq59-wg6r

Plugin Details

Severity: Medium

ID: 419902

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-15132

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/5/2020

Vulnerability Publication Date: 8/5/2020

Reference Information

CVE: CVE-2020-15132

cwe: CWE-209