Maantje

**Name of the Vulnerable Software and Affected Versions** Packistry versions prior to 0.13.0 **Description** Packistry is a self-hosted Composer repository for PHP package distribution. Prior to version 0.13.0, the `RepositoryAwareController::authorize()` function did not enforce token expiration, allowing expired deploy tokens with the correct ability to access repository endpoints, such as Composer metadata and download APIs. The fix in version 0.13.0 adds an explicit expiration check to the `authorize()` function, and tests now verify that expired deploy tokens are rejected. **Recommendations** Update to version 0.13.0 or later.

**Name of the Vulnerable Software and Affected Versions** Twig versions prior to 3.11.2 Twig versions prior to 3.14.1 **Description** In a sandbox, an attacker can call ` toString()` on an object even if the ` toString()` method is not allowed by the security policy when the object is part of an array or an argument list. **Recommendations** For versions prior to 3.11.2, upgrade to version 3.11.2 or later. For versions prior to 3.14.1, upgrade to version 3.14.1 or later.

**Name of the Vulnerable Software and Affected Versions** Twig versions prior to 3.11.2 Twig versions prior to 3.14.1 **Description** In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the ` isset()` method is now called after the security check. This is a BC break. **Recommendations** For versions prior to 3.11.2, upgrade to version 3.11.2 or later. For versions prior to 3.14.1, upgrade to version 3.14.1 or later. As a temporary workaround, consider restricting access to array-like objects in the sandbox mode until a patch is applied.