Overview
- Description
- Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
Risk scores
CVSS 3.1
- Type
- Secondary
- Base score
- 2.2
- Impact score
- 1.4
- Exploitability score
- 0.7
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
- Severity
- LOW
Weaknesses
- security-advisories@github.com
- CWE-668
Social media
- Hype score
- Not currently trending
Twig CVE-2024-51754: Unguarded calls to __toString() in a sandbox when an object is in an array or an argument.. - https://t.co/8hSFBk9jhT #PHP #PHPNews
@phpinthenews
7 Nov 2024
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-51754 Critical Security Flaw in Twig Allows Unauthorized Method Calls Twig is a template language used with PHP. A security issue appears when Twig is in a sandbox. An attacker can call `__toString()` on... https://t.co/yjFPXqXkV6
@VulmonFeeds
7 Nov 2024
33 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-51754 Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security p… https://t.co/gid5nuBW1q
@CVEnew
6 Nov 2024
365 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes