8.2
CVE-2024-45592
- EPSS 0.42%
- Veröffentlicht 10.09.2024 16:15:21
- Zuletzt bearbeitet 20.09.2024 19:57:05
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginauditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped
auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because `%source_label%` in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Damienharper ≫ Auditor-bundle Version >= 5.0.0 < 5.2.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.42% | 0.335 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 8.2 | 2.3 | 5.3 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1
https://github.com/DamienHarper/auditor-bundle/commit/e7deb377fa89677d44973b486d26d6a7374233ae
https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67