GHSA-xw83-pwrm-9j74

Source

https://github.com/advisories/GHSA-xw83-pwrm-9j74

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xw83-pwrm-9j74/GHSA-xw83-pwrm-9j74.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xw83-pwrm-9j74

Aliases

CVE-2015-7809

Published

2022-05-14T02:03:50Z

Modified

2024-05-30T13:26:54.932820Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Twig remote code execution in templates

Details

The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template.

Database specific

{
    "nvd_published_at": "2015-11-06T21:59:00Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-30T12:39:43Z"
}

References

Affected packages

Packagist / twig/twig

Package

Name: twig/twig
Purl: pkg:composer/twig/twig

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.20.0

Affected versions

1.*

1.3.0

1.4.0

1.5.0

1.5.1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

v1.*

v1.7.0

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.9.0

v1.9.1

v1.9.2

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.11.0

v1.11.1

v1.12.0-RC1

v1.12.0

v1.12.1

v1.12.2

v1.12.3

v1.13.0

v1.13.1

v1.13.2

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.15.1

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.17.0

v1.18.0

v1.18.1

v1.18.2

v1.19.0