Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Code injection in Twig
Vulnerability Description
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Sensio Labs Twig 代码代码注入漏洞
Vulnerability Description
Sensio Labs Twig是法国Sensio Labs公司的一个PHP模板引擎,它支持自定义标签和过滤器,并创建DSL。 Sensio Labs Twig 存在代码注入漏洞,在沙箱模式下,sort过滤器的 arrow 参数必须是一个闭包,以避免攻击者利用该漏洞运行任意PHP函数。在受影响的版本中,这个约束没有被适当地强制执行,可能导致任意PHP代码的代码注入。
CVSS Information
N/A
Vulnerability Type
N/A