Fabpot

Name of the Vulnerable Software and Affected Versions: Twig versions prior to 1.44.8 Twig versions prior to 2.16.1 Twig versions prior to 3.14.0 Description: Under some circumstances, the sandbox security checks are not run, which allows user-contributed templates to bypass the sandbox restrictions. This issue occurs when the sandbox is disabled globally, and a sandboxed `include()` function references a template name that has been loaded before in a non-sandbox context. Recommendations: For versions prior to 1.44.8, update to version 1.44.8 or later. For versions prior to 2.16.1, update to version 2.16.1 or later. For versions prior to 3.14.0, update to version 3.14.0 or later. As a temporary workaround, consider enabling the sandbox security checks globally to prevent user-contributed templates from bypassing the sandbox restrictions.

**Name of the Vulnerable Software and Affected Versions** Symfony versions prior to 2.3.37 Symfony versions 2.6.x prior to 2.6.13 Symfony versions 2.7.x prior to 2.7.9 **Description** The issue concerns the generation of random numbers by the nextBytes function in the SecureRandom class. When used with PHP 5.x and without the paragonie/random compat library, the function does not work correctly if the openssl random pseudo bytes function fails. This makes it easier for attackers to bypass cryptographic protection mechanisms. **Recommendations** For Symfony versions prior to 2.3.37, update to version 2.3.37 or later. For Symfony versions 2.6.x prior to 2.6.13, update to version 2.6.13 or later. For Symfony versions 2.7.x prior to 2.7.9, update to version 2.7.9 or later.

**Name of the Vulnerable Software and Affected Versions** Sensio Labs Twig versions prior to 1.20.0 **Description** The issue allows remote attackers to execute arbitrary code via the ` self` variable in a template when Sandbox mode is enabled. This is related to the `displayBlock` function in `Template.php`. **Recommendations** For versions prior to 1.20.0, update to version 1.20.0 or later to resolve the issue. As a temporary workaround, consider disabling the `displayBlock` function or restricting the use of the ` self` variable in templates until a patch is available. Restrict access to the `Template.php` file to minimize the risk of exploitation.