Twig is a template language for PHP. Versions 1.x before 1.44.7, 2.x before 2.15.3, and 3.x before 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
symfony twig |
||
drupal drupal |
||
fedoraproject fedora 35 |
||
fedoraproject fedora 36 |
||
fedoraproject fedora 37 |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |