Search for packages
| purl | pkg:composer/twig/twig@1.15.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-24vg-zmwt-aaam
Aliases: 2019-03-12 |
Sandbox Information Disclosure. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-2qfc-daza-aaap
Aliases: CVE-2019-9942 GHSA-vxrc-68xx-x48g |
Sandbox Information Disclosure |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-6ygy-mamy-jkec
Aliases: CVE-2024-45411 GHSA-6j75-5wfj-gh66 |
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-bcv4-ry3v-aaab
Aliases: CVE-2022-39261 GHSA-52m2-vc4m-jj33 |
Twig may load a template outside a configured directory when using the filesystem loader |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-e9bz-nz6b-sbab
Aliases: CVE-2024-51755 GHSA-jjxq-ff2g-95vh |
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jmc3-m3p5-aaaj
Aliases: 2015-08-12 |
Code Injection Remote code execution in templates. |
Affected by 7 other vulnerabilities. |
|
VCID-q1pp-7jby-aaas
Aliases: GHSA-7cvr-xhm5-x998 |
Twig Path Traversal vulnerability in the filesystem loader Twig is affected by path traversal vulnerability when used with Twig_Loader_Filesystem for loading Twig templates but only if the application is using non-trusted template names (names provided by a end-user for instance). When affected, it is possible to go up one directory for the paths configured in the application's loader. For instance, if the filesystem loader is configured with /path/to/templates as a path to look for templates, an attacker can force Twig to include a file stored in /path/to by prepending the path with /../ like in {% include "/../somefile_in_path_to" %} Note that using anything else (like ../somefile, /../../somefile, or ../../somefile) won’t work and the application will return a proper exception. | There are no reported fixed by versions. |
|
VCID-sc6z-mbzy-aaac
Aliases: GMS-2015-19 |
Remote Code Execution Your application is affected if you allow end users to submit Twig templates, even if you protected this template with Twig's sandbox mode. End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates. |
Affected by 7 other vulnerabilities. |
|
VCID-ydp7-f75t-27hn
Aliases: CVE-2024-51754 GHSA-6377-hfv9-hqf6 |
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yzvj-hyq6-aaar
Aliases: CVE-2015-7809 GHSA-xw83-pwrm-9j74 |
The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template. |
Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||