Voozh

auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped

Moderate severity GitHub Reviewed Published in DamienHarper/auditor-bundle • Updated

Package

damienharper/auditor-bundle (Composer)

Affected versions

< 5.2.6

Patched versions

5.2.6

Description

Summary

Unescaped entity property enables Javascript injection.

Details

I think this is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed.

PoC

clone example project https://github.com/DamienHarper/auditor-bundle-demo
create author with FullName <script>alert()</script>
delete author
view audit of authors
alert is displayed

Impact

persistent XSS. JS can be injected and executed.

References

👁 @DamienHarper
DamienHarper published to DamienHarper/auditor-bundle

Published to the GitHub Advisory Database

Reviewed

Published by the National Vulnerability Database

Last updated

Severity

Moderate

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required Low

User interaction Passive

Vulnerable System Impact Metrics

Confidentiality None

Integrity None

Availability None

Subsequent System Impact Metrics

Confidentiality High

Integrity Low

Availability Low

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L

EPSS score

(34th percentile)

Weaknesses

CVE ID

CVE-2024-45592

GHSA ID

GHSA-78vg-7v27-hj67

Source code

DamienHarper/auditor-bundle

Credits

👁 @fkropfhamer
fkropfhamer Reporter

See something to contribute? Suggest improvements for this vulnerability.

URL: https://github.com/advisories/GHSA-78vg-7v27-hj67

⇱ auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped · CVE-2024-45592 · GitHub Advisory Database · GitHub