A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
Mend Note: Converted from WS-2019-0022, on 2021-08-01.
CVE-2019-9942 - Low Severity Vulnerability
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/daa657073e55b0a78cce8fdd22682fddecc6385f
Dependency Hierarchy: - :x: **twig/twig-v1.35.0** (Vulnerable Library)
Found in HEAD commit: 9265509e6f8f33da6589d91be95eae590b521f37
Found in base branch: master
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place. Mend Note: Converted from WS-2019-0022, on 2021-08-01.
Publish Date: 2019-03-23
URL: CVE-2019-9942
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9942
Release Date: 2019-03-23
Fix Resolution: v2.7.0