Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Note: This module does not have a stable release so this security issue can be fixed in public.
This module has the following dependency defined in it's composer.json file (pattern-builder/pattern-builder:v1.0.0):
http://cgit.drupalcode.org/patternbuilder/tree/composer.json#n5
Which has an insecure package dependency on twig:1.18.*
https://github.com/PatternBuilder/pattern-builder-lib-php/blob/v1.0.0/co...
See the following Twig security advisory for remote code execution:
https://symfony.com/blog/security-release-twig-1-20-0
The master branch of the pattern-builder library appears to have resolved this issue:
https://github.com/PatternBuilder/pattern-builder-lib-php/blob/master/co...
Comments
Comment #2
recrit CreditAttribution: recrit commented@badjava, Thanks for the report. We're planning on a new release for the library and then will update the module once available.
Comment #3
recrit CreditAttribution: recrit commented@badjava - 7.x-1.1 has been released which uses the Pattern Builder 1.1 Library that has the fix for the TWIG library.