Fabien Potencier

12 exploits Active since Jul 2018
CVE-2018-13818 WRITEUP CRITICAL WRITEUP
symfony/twig < 2.4.4 - Server-Side Template Injection via search_key Parameter
Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it
CVSS 9.8
CVE-2022-23614 WRITEUP HIGH WRITEUP
Twig 2.0.0-2.14.11 - Remote Code Execution via Sort Filter Arrow Parameter
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.
CVSS 8.8
CVE-2022-23614 WRITEUP HIGH WRITEUP
Twig 2.0.0-2.14.11 - Remote Code Execution via Sort Filter Arrow Parameter
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.
CVSS 8.8
CVE-2024-45411 WRITEUP HIGH WRITEUP
Twig <1.44.8, <2.16.1, <3.14.0 - RCE
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
CVSS 8.5
CVE-2024-45411 WRITEUP HIGH WRITEUP
Twig <1.44.8, <2.16.1, <3.14.0 - RCE
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
CVSS 8.5
CVE-2019-9942 WRITEUP LOW WRITEUP
Twig < 1.38.0 and 2.x < 2.7.0 - Sandbox Information Disclosure via __toString() Method
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
CVSS 3.7
CVE-2022-39261 WRITEUP HIGH WRITEUP
Twig < 1.44.7, 2.x < 2.15.3, 3.x < 3.4.3 - Path Traversal via Namespace Bypass
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
CVSS 7.5
CVE-2023-34448 WRITEUP HIGH WRITEUP
Grav < 1.7.42 - Server-Side Template Injection via Twig map() and reduce() Functions
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.
CVSS 8.8
CVE-2024-28119 WRITEUP HIGH WRITEUP
Grav < 1.7.45 - Authenticated Remote Code Execution via Twig Escape Function Redefinition
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue.
CVSS 8.8
CVE-2024-45411 WRITEUP HIGH WRITEUP
Twig <1.44.8, <2.16.1, <3.14.0 - RCE
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
CVSS 8.5
CVE-2024-51754 WRITEUP LOW WRITEUP
Twig <3.11.2, <3.14.1 - Info Disclosure
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
CVSS 2.2
CVE-2025-24374 WRITEUP MEDIUM WRITEUP
Twig 3.16.0-3.18.9 - Cross-Site Scripting via Null Coalescing Operator
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
CVSS 4.3