Описание
auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6.
Ссылки
- Patch
- Patch
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 5.0.0 (включая) до 5.2.6 (исключая)
cpe:2.3:a:damienharper:auditor-bundle:*:*:*:*:*:*:*:*
EPSS
Процентиль: 57%
0.00357
Низкий
8.2 High
CVSS3
6.1 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 8.2
github
больше 1 года назад
auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped
EPSS
Процентиль: 57%
0.00357
Низкий
8.2 High
CVSS3
6.1 Medium
CVSS3
Дефекты
CWE-79