Fabien Potencier

7 exploits Active since Mar 2019
CVE-2019-9942 WRITEUP LOW WRITEUP
Twig <2.7.0 - Info Disclosure
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
CVSS 3.7
CVE-2022-39261 WRITEUP HIGH WRITEUP
Symfony Twig < 1.44.7 - Path Traversal
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
CVSS 7.5
CVE-2023-34448 WRITEUP HIGH WRITEUP
Grav < 1.7.42 - Remote Code Execution
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.
CVSS 8.8
CVE-2024-28119 WRITEUP HIGH WRITEUP
Grav < 1.7.45 - Code Injection
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue.
CVSS 8.8
CVE-2024-45411 WRITEUP HIGH WRITEUP
Twig <1.44.8, <2.16.1, <3.14.0 - RCE
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
CVSS 8.5
CVE-2024-51754 WRITEUP LOW WRITEUP
Twig <3.11.2, <3.14.1 - Info Disclosure
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
CVSS 2.2
CVE-2025-24374 WRITEUP MEDIUM WRITEUP
Twig < 3.19.0 - Injection
Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
CVSS 4.3