auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because `%source_label%` in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6.
References
Configurations
History
20 Sep 2024, 19:57
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1 - Patch | |
References | () https://github.com/DamienHarper/auditor-bundle/commit/e7deb377fa89677d44973b486d26d6a7374233ae - Patch | |
References | () https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
First Time |
Damienharper
Damienharper auditor-bundle |
|
CPE | cpe:2.3:a:damienharper:auditor-bundle:*:*:*:*:*:*:*:* |
18 Sep 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
Summary | (en) auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because `%source_label%` in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6. | |
References |
|
10 Sep 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-10 16:15
Updated : 2024-09-20 19:57
NVD link : CVE-2024-45592
Mitre link : CVE-2024-45592
CVE.ORG link : CVE-2024-45592
JSON object : View
Products Affected
damienharper
- auditor-bundle
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')