James Williams

**Name of the Vulnerable Software and Affected Versions** Drupal Paragraphs table versions 0.0.0 through 1.22.0 Drupal Paragraphs table versions 2.0.0 through 2.0.1 **Description** The issue is related to insufficient granularity of access control in Drupal Paragraphs table, which allows content spoofing. This can be exploited by a remote attacker to bypass security restrictions and gain unauthorized access to protected information. **Recommendations** For Drupal Paragraphs table versions 0.0.0 through 1.22.0, update to version 1.23.0 or later. For Drupal Paragraphs table versions 2.0.0 through 2.0.1, update to version 2.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Twig versions 1.x prior to 1.44.7 Twig versions 2.x prior to 2.15.3 Twig versions 3.x prior to 3.4.3 **Description** The issue arises when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. **Recommendations** For versions 1.x prior to 1.44.7, update to version 1.44.7 or later. For versions 2.x prior to 2.15.3, update to version 2.15.3 or later. For versions 3.x prior to 3.4.3, update to version 3.4.3 or later. As a temporary workaround, consider restricting the use of the `source` and `include` statements with user-input template names until a patch is available.