24 matches found
CVE-2022-39261 Twig may load a template outside a configured directory when using the filesystem loader
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outsi...
PT-2022-24853 · Twig +4 · Twig +4
Name of the Vulnerable Software and Affected Versions: Twig versions 1.x prior to 1.44.7 Twig versions 2.x prior to 2.15.3 Twig versions 3.x prior to 3.4.3 Description: The issue arises when the filesystem loader loads templates for which the name is a user input. It is possible to use the source...
CVE-2022-39261
Twig is affected: versions 1.x before 1.44.7, 2.x before 2.15.3, and 3.x before 3.4.3 have a vulnerability where the filesystem loader can read arbitrary files when a template name is user-controlled (e.g., @namespace/../file) due to validation bypass. The fixed releases are 1.44.7, 2.15.3, and 3...
Vulnerability in the filesystem loader
More info at http://blog.twig.sensiolabs.org/post/47461911874/security-release-twig-1-12-3-released...