Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                              CERT-Renater

                  Note d'Information No. 2025/VULN061

_____________________________________________________________________

DATE                : 31/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running twig (Composer) versions prior
                                         to 3.19.0.

=====================================================================
https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
_____________________________________________________________________

Fix a security issue where escaping was missing when using null
coalesce operator (??)

Moderate
fabpot published GHSA-3xg3-cgvq-2xwr Jan 29, 2025
Package
twig/

Affected versions
>=3.16.0,<3.19.0

Patched versions
3.19.0


Description

When using the ?? operator, output escaping was missing for the
expression on the left side of the operator.

Severity
Moderate

4.3/ 10

CVSS v3 base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
None

User interaction
Required

Scope
Unchanged

Confidentiality
None

Integrity
Low

Availability
None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE ID
CVE-2025-24374

Weaknesses
No CWEs

Credits

    @PhilETaylor PhilETaylor Reporter
    @fabpot fabpot Remediation developer



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================