CVE-2024-45592

Published: Sep 10, 2024

Modified: Sep 20, 2024

PUBLISHED

CVSS v3.1

8.2

HIGH

Description

auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because `%source_label%` in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6.

Vendor	Product	Versions
DamienHarper	auditor-bundle	affected `< 5.2.6`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

References

https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67

x_refsource_CONFIRM

https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1

x_refsource_MISC

https://github.com/DamienHarper/auditor-bundle/commit/e7deb377fa89677d44973b486d26d6a7374233ae

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-45592

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References