Twig Output Escaping Vulnerability in Null Coalesce Operator
Vulnerability
A vulnerability in Twig, a PHP template language, was identified regarding the null coalesce operator (??). In versions 3.16.0 prior to 3.19.0, output escaping was not applied to the expression on the left side of the operator, potentially leading to improper handling of output. This issue has been addressed in Twig version 3.19.0.
Impact
The vulnerability could lead to output not being properly escaped, which may allow for cross-site scripting (XSS) attacks if untrusted data is not correctly sanitized before being outputted in a web context.
Reproduction
To reproduce this vulnerability, create a Twig template that uses the null coalesce operator (??) with an expression on the left side that requires output escaping. For example, use a variable that contains untrusted data, such as user input or data from a database, and apply the null coalesce operator to it without proper escaping. When the template is rendered, the output will not be escaped, exposing the application to potential XSS attacks.
Remediation
Users can upgrade to Twig version 3.19.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.