Skip to main content

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2022-23614

Severity High
Score 9.8/10

Summary

Twig is an open source template language for PHP. In Twig versions 2.0.x before 2.14.11, 3.0.x before 3.3.8 when in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-74 - Injection

Listed as the number one web application security risk on the 'OWASP Top Ten', injection attacks are widespread and dangerous, especially in legacy applications. Injection attacks are a class of vulnerabilities in which an attacker injects untrusted data into a web application that gets processed by an interpreter, altering the program's execution. This can result in data loss/theft, loss of data integrity, denial of service, and even compromising the entire system.

Advisory Timeline

  • Published