Search for packages
| purl | pkg:composer/twig/twig@1.13.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1au7-86r7-8qdn
Aliases: CVE-2024-51754 GHSA-6377-hfv9-hqf6 |
Twig has unguarded calls to `__toString()` when nesting an object into an array ### Description In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). ### Resolution The sandbox mode now checks the `__toString()` method call on all objects. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4jwc-v1ar-q7ek
Aliases: CVE-2015-7809 GHSA-xw83-pwrm-9j74 |
Twig remote code execution in templates The `displayBlock` function `Template.php` in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the `_self` variable in a template. |
Affected by 6 other vulnerabilities. |
|
VCID-cd24-q2ys-yfbe
Aliases: CVE-2024-51755 GHSA-jjxq-ff2g-95vh |
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled ### Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. **This is a BC break.** ### Resolution The sandbox mode now ensures access to array-like's properties is allowed. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-etje-vrfw-nbh4
Aliases: CVE-2024-45411 GHSA-6j75-5wfj-gh66 |
Twig has a possible sandbox bypass ### Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: * The sandbox is disabled globally; * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance; * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled). ### Resolution The patch ensures that the sandbox security checks are always run at runtime. ### Credits We would like to thank Fabien Potencier for reporting and fixing the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-qm9h-wdun-xkgx
Aliases: 2015-08-12 |
Code Injection Remote code execution in templates. |
Affected by 6 other vulnerabilities. |
|
VCID-tgj6-umnp-nug2
Aliases: GMS-2015-19 |
Remote Code Execution Your application is affected if you allow end users to submit Twig templates, even if you protected this template with Twig's sandbox mode. End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates. |
Affected by 6 other vulnerabilities. |
|
VCID-ummk-h11z-bkaj
Aliases: CVE-2022-39261 GHSA-52m2-vc4m-jj33 |
Twig may load a template outside a configured directory when using the filesystem loader # Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed). # Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. # Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-xe7j-b1cs-eqct
Aliases: 2019-03-12 |
Sandbox Information Disclosure. |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-xscd-caaj-kqdk
Aliases: CVE-2019-9942 GHSA-vxrc-68xx-x48g |
Information Exposure Under some circumstances, it is possible to call the `__toString()` method on an object even if not allowed by the security policy in place. |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||