CVE-2024-45592

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-45592

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45592.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-45592

Aliases

GHSA-78vg-7v27-hj67

Published

2024-09-10T16:00:14.887Z

Modified

2026-02-03T07:37:28.287763Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L CVSS Calculator

Summary

auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped

Details

auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45592.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/damienharper/auditor-bundle

Affected ranges

Type: GIT
Repo: https://github.com/damienharper/auditor-bundle
Events: Introduced

9bd8d33dd1de2a10639284e5f2aa86794a1aabce

Fixed

e7deb377fa89677d44973b486d26d6a7374233ae

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45592.json"