Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14dzgzLXB3cm0tOWo3NM4AAU8Q

Twig remote code execution in templates

The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template.

Permalink: https://github.com/advisories/GHSA-xw83-pwrm-9j74
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14dzgzLXB3cm0tOWo3NM4AAU8Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 6 months ago


CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-xw83-pwrm-9j74, CVE-2015-7809
References: Repository: https://github.com/twigphp/Twig
Blast Radius: 41.5

Affected Packages

packagist:twig/twig
Dependent packages: 5,794
Dependent repositories: 131,829
Downloads: 349,684,109 total
Affected Version Ranges: < 1.20.0
Fixed in: 1.20.0
All affected versions: 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.15.1, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.18.1, 1.18.2, 1.19.0
All unaffected versions: 1.20.0, 1.21.0, 1.21.1, 1.21.2, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.26.0, 1.26.1, 1.27.0, 1.28.0, 1.28.1, 1.28.2, 1.29.0, 1.30.0, 1.31.0, 1.32.0, 1.33.0, 1.33.1, 1.33.2, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.34.4, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.35.4, 1.36.0, 1.37.0, 1.37.1, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.39.0, 1.39.1, 1.40.0, 1.40.1, 1.41.0, 1.42.0, 1.42.1, 1.42.2, 1.42.3, 1.42.4, 1.42.5, 1.43.0, 1.43.1, 1.44.0, 1.44.1, 1.44.2, 1.44.3, 1.44.4, 1.44.5, 1.44.6, 1.44.7, 1.44.8, 2.0.0, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.9.0, 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.14.8, 2.14.9, 2.14.10, 2.14.11, 2.14.12, 2.14.13, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.15.6, 2.16.0, 2.16.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.13.0, 3.14.0, 3.14.1, 3.14.2, 3.15.0