Lucene search

GitHub Advisory DatabaseGHSA-XW83-PWRM-9J74

HistoryMay 14, 2022 - 2:03 a.m.

Twig remote code execution in templates

2022-05-1402:03:50

CWE-74

GitHub Advisory Database

github.com

sensio labs twig

sandbox mode

template.php

remote code execution

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

8.2

Confidence

Low

EPSS

0.072

Percentile

94.1%

JSON

The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template.

Affected configurations

Vulners

Node

twigtwigRange<1.20.0

References

openwall.com/lists/oss-security/2015/08/21/3

openwall.com/lists/oss-security/2015/10/11/2

symfony.com/blog/security-release-twig-1-20-0

www.debian.org/security/2015/dsa-3343

github.com/advisories/GHSA-xw83-pwrm-9j74

github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2015-7809.yaml

github.com/twigphp/Twig/commit/30be07759a3de2558da5224f127d052ecf492e8f

github.com/twigphp/Twig/pull/1759

nvd.nist.gov/vuln/detail/CVE-2015-7809

symfony.com/blog/security-release-twig-1-20-0

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

8.2

Confidence

Low

EPSS

0.072

Percentile

94.1%

JSON

Related for GHSA-XW83-PWRM-9J74