CVE-2021-41170

Incorrect Permission Assignment for Critical Resource in packagist/neoan3-apps/template

Identifiers

CVE-2021-41170, GHSA-3v56-q6r6-4gcw

Package Slug

packagist/neoan3-apps/template

Vulnerability

Incorrect Permission Assignment for Critical Resource

Description

neoan3-apps/template allows for passing in closures directly into the template engine. As a result, values that are callable are executed by the template engine. The issue arises if a value has the same name as a method or function in scope and can therefore be executed either by mistake or maliciously. In theory all users of the package are affected as long as they either deal with direct user input or database values.

Affected Versions

All versions before 1.1.1

Solution

Upgrade to version 1.1.1 or above.

Last Modified

2021-11-15

source