Search for packages
| purl | pkg:deb/debian/php-twig@3.5.1-1%2Bdeb12u1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1au7-86r7-8qdn
Aliases: CVE-2024-51754 GHSA-6377-hfv9-hqf6 |
Twig has unguarded calls to `__toString()` when nesting an object into an array ### Description In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). ### Resolution The sandbox mode now checks the `__toString()` method call on all objects. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2mrj-u2wu-wkhv
Aliases: CVE-2025-24374 GHSA-3xg3-cgvq-2xwr |
Twig security issue where escaping was missing when using null coalesce operator When using the `??` operator, output escaping was missing for the expression on the left side of the operator. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-cd24-q2ys-yfbe
Aliases: CVE-2024-51755 GHSA-jjxq-ff2g-95vh |
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled ### Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. **This is a BC break.** ### Resolution The sandbox mode now ensures access to array-like's properties is allowed. The patch for this issue is available [here](https://github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch. ### Credits We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-etje-vrfw-nbh4 | Twig has a possible sandbox bypass ### Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: * The sandbox is disabled globally; * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance; * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled). ### Resolution The patch ensures that the sandbox security checks are always run at runtime. ### Credits We would like to thank Fabien Potencier for reporting and fixing the issue. |
CVE-2024-45411
GHSA-6j75-5wfj-gh66 |
| VCID-ummk-h11z-bkaj | Twig may load a template outside a configured directory when using the filesystem loader # Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed). # Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. # Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue. |
CVE-2022-39261
GHSA-52m2-vc4m-jj33 |
| VCID-yypq-j9mx-6qa4 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Twig is an open source template language for PHP.Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade. |
CVE-2022-23614
GHSA-5mv2-rx3q-4w2v |