Search Results (23 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-41336 1 Symfony 1 Ux Autocomplete 2024-11-21 6.5 Medium
ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.
CVE-2019-9942 2 Debian, Symfony 2 Debian Linux, Twig 2024-11-21 3.7 Low
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
CVE-2018-13818 1 Symfony 1 Twig 2024-11-21 N/A
Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it