Drupal Updates Patch Twig Template Engine Vulnerability


This week’s Drupal updates address a critical vulnerability in Twig that could lead to the disclosure of sensitive information. Since Drupal 8’s release in November 2015, Twig has been Drupal’s default templating engine. Drupal is a PHP-based open-source web content management system that uses Twig as its default templating engine.

The vulnerability, identified as CVE-2022-39261, could allow an attacker to load templates outside of a configured directory via the file system loader. The vulnerability has been assigned a “high” severity rating, or “critical,” according to Drupal’s scoring system.

Twig has fixed the vulnerability in versions 1.44.7, 2.15.3, and 3.4.3. The security flaw is mitigated by the fact that an attacker needs administrative permission with restricted access to exploit it.

Read More: Auth0 Finds No Breach Following Source Code Compromise

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.