Fabien Potencier

**Name of the Vulnerable Software and Affected Versions** Twig versions 2.16.x Twig versions 3.9.0 through 3.25.x **Description** A sandbox bypass exists when using a `SourcePolicyInterface`. This occurs because a runtime check fails to use the current template source, allowing attackers with template rendering capabilities to pass arbitrary PHP callables to the `sort`, `filter`, `map`, and `reduce` filters. This can lead to arbitrary code execution when the sandbox is enabled via a source policy instead of globally. **Recommendations** Update Twig versions 2.16.x to a newer version containing the fix. Update Twig versions 3.9.0 through 3.25.x to a newer version containing the fix.

**Name of the Vulnerable Software and Affected Versions** Twig versions 1.x prior to 1.44.7 Twig versions 2.x prior to 2.15.3 Twig versions 3.x prior to 3.4.3 **Description** The issue arises when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. **Recommendations** For versions 1.x prior to 1.44.7, update to version 1.44.7 or later. For versions 2.x prior to 2.15.3, update to version 2.15.3 or later. For versions 3.x prior to 3.4.3, update to version 3.4.3 or later. As a temporary workaround, consider restricting the use of the `source` and `include` statements with user-input template names until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Twig versions prior to 1.38.0 Twig versions 2.x prior to 2.7.0 **Description** A sandbox information disclosure issue exists because, under some circumstances, it is possible to call the ` toString()` method on an object even if not allowed by the security policy in place. This could allow a remote attacker to access confidential data. **Recommendations** For Twig versions prior to 1.38.0, update to version 1.38.0 or later. For Twig versions 2.x prior to 2.7.0, update to version 2.7.0 or later. As a temporary workaround, consider restricting access to objects that could be exploited through the ` toString()` method until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FOSUserBundle versions prior to 1.3.3 **Description** The issue allows remote attackers to cause a denial of service, specifically CPU consumption, by submitting a long password to the login form. This triggers an expensive hash computation, such as a PBKDF2 computation. **Recommendations** For versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue. As a temporary workaround, consider restricting the maximum password length to prevent excessive CPU consumption.