cakephp/twig-view is vulnerable to Path Traversal
59
Medium Risk
The FileLoader::findTemplate() method resolves template names for the include and extends tags without confining the resolved path to the allowed template directories. When an application passes user-controlled data as a template name, the loader can resolve paths outside the intended template roots and read arbitrary files on the server. The file contents are then returned through the template engine, exposing sensitive server files. The fix restricts template resolution to the configured template and plugin paths and rejects names that resolve outside them.
You are affected if you are using a version that falls within the vulnerable range and your application passes user-controlled data to the include or extends tags.
cakephp/twig-view is vulnerable to Path Traversal in versions 1.0.1 - 1.3.2 and 2.0.0 - 2.1.1.
Upgrade the cakephp/twig-view library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant