EasyAdminBundle has path traversal and reflected XSS in Flag and Icon Twig components
EasyAdminBundle ships two public Twig components — <twig:ea:Flag countryCode="…"> and <twig:ea:Icon name="…"> — that load SVG files from disk using a path built directly from a public component property, and then render the resulting markup with the Twig |raw filter. When an application binds either of those properties to data that is influenced by an end user, the lack of validation on the property value leads to two distinct issues: …