Affected versions
Twig >2.0.0,<2.14.11 || >3.0.0,<3.3.8 are affected by this security issue. Twig 1.x is not affected as the "sort" filter does not allow an arrow function in that version.
The issue has been fixed in Twig 2.14.11 and 3.3.8.
Description
When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions.
The SymfonyCon Disneyland Paris was initially scheduled in 2020, then postponed to 2021. But at that time, we didn't have enough visibility to organize it properly with the Covid circumstances. We finally decided to cancel it instead of postponing it again without any guarantee to be able to organize it.
This week, Symfony 4.4.37, 5.3.14, 5.4.3 and 6.0.3 maintenance versions were released. In addition, a potential security vulnerability related to CSRF tokens in forms was found and fixed in security releases for all maintained versions.
Affected versions
Symfony 5.3.14, 5.4.3, and 6.0.3 versions of the Symfony Framework Bundle is affected by this security issue.
The issue has been fixed in Symfony 5.3.15, 5.4.4, and 6.0.4.
Affected versions
Symfony 5.3.14, 5.4.3, and 6.0.3 versions of the Symfony Framework Bundle is affected by this security issue.
The issue has been fixed in Symfony 5.3.15, 5.4.4, and 6.0.4.
Symfony 6.0.4 has just been released.
Here is the list of the most important changes since 6.0.3:
Symfony 5.4.4 has just been released.
Here is the list of the most important changes since 5.4.3:
Symfony 5.3.15 has just been released.
Here is the list of the most important changes since 5.3.14:
Symfony 6.0.3 has just been released.
Here is the list of the most important changes since 6.0.2:
Symfony 5.4.3 has just been released.
Here is the list of the most important changes since 5.4.2: