auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because `%source_label%` in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| damienharper/auditor-bundle(Packagist) | 0 | 5.2.6 | N/A |
CVSS Metrics
