auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped

auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because `%source_label%` in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

auditor-bundle 跨站脚本漏洞

auditor-bundle是Damien Harper个人开发者的一个工具。 auditor-bundle 6.0.0之前版本存在跨站脚本漏洞，该漏洞源于有一个未转义的实体属性可以启用Javascript注入。

N/A

N/A