CVE-2018-13818
Summary
| CVE | CVE-2018-13818 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-07-10 14:29:00 UTC |
| Updated | 2023-11-07 02:52:00 UTC |
| Description | ** DISPUTED ** Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it. |
Risk And Classification
Problem Types: CWE-94
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Twig/CHANGELOG at 2.x · twigphp/Twig · GitHub | MISC | github.com | Release Notes |
| CVE-2018-13818 · Issue #2743 · twigphp/Twig · GitHub | MISC | github.com | Exploit, Third Party Advisory |
| Jameel Nabbo na Twitterze: "hahaha, the idea I've done it in BlackBox testing, But I'll give the way of finding it, If the system is using Twig, all you have to do is simply by intercepting the requests by @Burp_Suite and look to any Param that accept GET/POST and put the following{{2+2}} if you saw 4 :)… https://t.co/RFFg7xrqPP" | MISC | mobile.twitter.com | Exploit, Third Party Advisory |
| Twig < 2.4.4 - Server Side Template Injection - PHP webapps Exploit | EXPLOIT-DB | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| prepared the 2.4.4 release · twigphp/Twig@eddb971 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.