FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

pear-twig -- remote code execution

Affected packages
pear-twig-twig < 1.20.0

Details

VuXML ID 705b759c-7293-11e5-a371-14dae9d210b8
Discovery 2015-08-12
Entry 2015-10-14

Fabien Potencier reports:

End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates.

References

CVE Name CVE-2015-7809
URL http://symfony.com/blog/security-release-twig-1-20-0