Search CVE reports
1 – 7 of 7 results
CVE-2024-51755
Medium priorityTwig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is...
2 affected packages
php-twig, twig
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-twig | Needs evaluation | Needs evaluation | Needs evaluation | — | — |
twig | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
CVE-2024-51754
Medium priorityTwig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list...
2 affected packages
php-twig, twig
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-twig | Needs evaluation | Needs evaluation | Needs evaluation | — | — |
twig | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
CVE-2024-45411
Medium priorityTwig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
2 affected packages
php-twig, twig
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-twig | Needs evaluation | Needs evaluation | Needs evaluation | — | — |
twig | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
CVE-2022-39261
Medium prioritySome fixes available 4 of 5
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use...
2 affected packages
php-twig, twig
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-twig | Not affected | Fixed | Fixed | Not in release | Ignored |
twig | Not in release | Not in release | Not in release | Fixed | Fixed |
CVE-2022-23614
Medium priorityTwig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this...
2 affected packages
php-twig, twig
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-twig | Not affected | Not affected | Fixed | Not in release | Ignored |
twig | — | — | — | Not affected | Not affected |
CVE-2019-9942
Medium prioritySome fixes available 2 of 3
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
2 affected packages
php-twig, twig
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-twig | — | Not affected | Not affected | Not in release | Not in release |
twig | — | Not in release | Not in release | Fixed | Fixed |
CVE-2018-13818
Medium priority** DISPUTED ** Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of...
2 affected packages
php-twig, twig
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-twig | Not affected | Not affected | Not affected | Not in release | Not in release |
twig | Not in release | Not in release | Not in release | Not affected | Not affected |