GoogleOSV:GHSA-78VG-7V27-HJ67auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
AI Score
Confidence
Low
EPSS
Percentile
21.3%
Summary
Unescaped entity property enables Javascript injection.
Details
I think this is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed.
PoC
- clone example project https://github.com/DamienHarper/auditor-bundle-demo
- create author with FullName <script>alert()</script>
- delete author
- view audit of authors
- alert is displayed
Impact
persistent XSS. JS can be injected and executed.
References
github.com/DamienHarper/auditor-bundle
github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1
github.com/DamienHarper/auditor-bundle/commit/e7deb377fa89677d44973b486d26d6a7374233ae
github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67
nvd.nist.gov/vuln/detail/CVE-2024-45592
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
AI Score
Confidence
Low
EPSS
Percentile
21.3%