CVE-2024-45592 Information

Description

auditor-bundle formerly known as DoctrineAuditBundle integrates auditor library into any Symfony 3.4+ application. Prior to 6.0.0 there is an unescaped entity property enabling Javascript injection. This is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in 6.0.0.

Reference

https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67 https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1