Twig is a template language for PHP. In a sandbox, an attacker can call "__toString()" on an object even if the "__toString()" method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
CVE-2024-51754 - Low Severity Vulnerability
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/a1d84cfbc1c2f99ee4af361eb0a32dad47723b01
Dependency Hierarchy: - corneltek/cliframework-4.2.0 (Root Library) - corneltek/codegen-dev-master - :x: **twig/twig-2.x-dev** (Vulnerable Library)
Found in HEAD commit: 81f84f058af0cbca57ee22476557ded21c6813aa
Found in base branch: master
Twig is a template language for PHP. In a sandbox, an attacker can call "__toString()" on an object even if the "__toString()" method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51754
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here