CVE-2018-13818

Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it
Configurations

Configuration 1 (hide)

cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:48

Type Values Removed Values Added
References () https://github.com/twigphp/Twig/blob/2.x/CHANGELOG - Release Notes () https://github.com/twigphp/Twig/blob/2.x/CHANGELOG - Release Notes
References () https://github.com/twigphp/Twig/commit/eddb97148ad779f27e670e1e3f19fb323aedafeb - Patch, Third Party Advisory () https://github.com/twigphp/Twig/commit/eddb97148ad779f27e670e1e3f19fb323aedafeb - Patch, Third Party Advisory
References () https://github.com/twigphp/Twig/issues/2743 - Exploit, Third Party Advisory () https://github.com/twigphp/Twig/issues/2743 - Exploit, Third Party Advisory
References () https://mobile.twitter.com/jameel_nabbo/status/1032593354704515072?s=20 - Exploit, Third Party Advisory () https://mobile.twitter.com/jameel_nabbo/status/1032593354704515072?s=20 - Exploit, Third Party Advisory
References () https://www.exploit-db.com/exploits/44102/ - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/44102/ - Exploit, Third Party Advisory, VDB Entry

07 Nov 2023, 02:52

Type Values Removed Values Added
Summary ** DISPUTED ** Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it. Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it

Information

Published : 2018-07-10 14:29

Updated : 2024-11-21 03:48


NVD link : CVE-2018-13818

Mitre link : CVE-2018-13818

CVE.ORG link : CVE-2018-13818


JSON object : View

Products Affected

symfony

  • twig
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')