CVE-2024-45592 – This vulnerability allows attackers to inject a... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to inject and execute malicious JavaScript code in Symfony applications using auditor-bundle. The issue affects all Symfony 3.4+ applications using vulnerable versions of auditor-bundle, enabling cross-site scripting (XSS) attacks.

💻 Affected Systems

Products:

auditor-bundle (formerly DoctrineAuditBundle)

Versions: All versions before 5.2.6 and before 6.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Symfony 3.4+ applications using the vulnerable twig macro with %source_label% parameter.

📦 What is this software?

Auditor Bundle by Damienharper

View all CVEs affecting Auditor Bundle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or deploy additional malware payloads.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed in the context of authenticated users.

🟢

If Mitigated

Limited impact with proper Content Security Policy (CSP) headers and input validation, though XSS could still bypass some controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to control the %source_label% parameter, typically through user input or data manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.6 or 6.0.0

Vendor Advisory: https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67

Restart Required: No

Instructions:

1. Update composer.json to require "damienharper/auditor-bundle": "^5.2.6" or "^6.0.0"
2. Run composer update damienharper/auditor-bundle
3. Clear Symfony cache: php bin/console cache:clear

🔧 Temporary Workarounds

Manual Twig Escape

all

Manually escape the %source_label% parameter in your twig templates

Replace {{ source_label }} with {{ source_label|e('html') }} in affected templates

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline script execution
Apply input validation and sanitization to all user inputs that could affect %source_label% parameter

🔍 How to Verify

Check if Vulnerable:

Check composer.lock for damienharper/auditor-bundle version below 5.2.6 or 6.0.0

Check Version:

composer show damienharper/auditor-bundle | grep versions

Verify Fix Applied:

Verify composer.lock shows version 5.2.6 or higher, or 6.0.0 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in audit logs
Suspicious characters in %source_label% parameters

Network Indicators:

Unexpected external script loads from audit pages

SIEM Query:

source="symfony" AND ("%source_label%" OR "auditor-bundle") AND ("<script>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2024-45592

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

CWE: CWE-79

Published: September 10, 2024

Last Updated: September 20, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45592, you might also want to check these: