cakephp/twig-view is vulnerable to Deserialization of Untrusted Data
69
Medium Risk
The unserialize Twig filter in the twig-view plugin deserializes input without restricting which PHP classes may be instantiated. When a template applies this filter to attacker-controlled data, the deserialization can be abused as a remote-code-execution gadget through crafted serialized objects. This lets an attacker trigger unintended object instantiation and magic methods while a view is rendered. The fix disables object instantiation by passing ['allowed_classes' => false] to unserialize and deprecates the serialize and unserialize filters.
You are affected if you are using a version that falls within the vulnerable range and your templates apply the unserialize filter to untrusted data.
cakephp/twig-view is vulnerable to Deserialization of Untrusted Data in versions 1.0.0 - 1.3.2 and 2.0.0 - 2.1.1.
Upgrade the cakephp/twig-view library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant