1. Home
  2. CVE Database
  3. CVE-2024-51754
LOW · 2.2

CVE-2024-51754

Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of a...

Vulnerability Description

Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

CVSS Score

2.2

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE

Related Weaknesses (CWE)

CWE-668

References

FAQ

What is CVE-2024-51754?

CVE-2024-51754 is a vulnerability with a CVSS score of 2.2 (LOW). Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of a...

How severe is CVE-2024-51754?

CVE-2024-51754 has been rated LOW with a CVSS base score of 2.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-51754?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.