CVE-2015-7809 — Injection in Twig

CWE-264 CWE-74 — Injection5 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

2.0%

top 16.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Twig Symfony Twig

Timeline

PublishedNov 6

Latest updateMay 14

Description

The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶Packagisttwig/twig< 1.20.0

▶NVDsymfony/twig1.19.0

🔴Vulnerability Details

GHSA

Twig remote code execution in templates↗2022-05-14

▶

OSV

Twig remote code execution in templates↗2022-05-14

▶

CVEList

CVE-2015-7809: The displayBlock function Template↗2015-11-06

▶

💬Community

Bugzilla

CVE-2015-7809 php-twig: Remote code execution via Twig templates↗2015-08-21

▶