CVE-2024-51754

LOW

Twig <3.11.2, <3.14.1 - Info Disclosure

Title source: llm

Description

Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

References (3)

Scores

CVSS v3 2.2
EPSS 0.0010
EPSS Percentile 27.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Classification

CWE
CWE-668
Status draft

Affected Products (1)

twig/twig < 3.11.2Packagist

Timeline

Published Nov 06, 2024
Tracked Since Feb 18, 2026