Miggo Logo
Miggo Vulnerability Database
CVE-2022-21686

CVE-2022-21686:
Server Side Twig Template Injection

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-21686
GHSA ID
GHSA-mrq4-7ch7-2465
EPSS Score
0.68297%
CWE
CWE-94
Published
1/27/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
prestashop/prestashopcomposer>= 1.7.0.0, <= 1.7.8.21.7.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how legacy layouts were processed in getLegacyLayout(). The original implementation used simple string replacement without proper context-aware escaping, particularly for header and footer sections. The security patch introduced: 1) Splitting layout into components, 2) Added escapeSmarty() method to apply Twig raw filter with proper escaping, 3) Structured template assembly to prevent injection points. The pre-patch code's str_replace approach allowed unescaped user-controlled content to be interpreted as Twig code when rendering admin templates, enabling server-side template injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pr*st*S*op is *n Op*n Sour** *-*omm*r** pl*t*orm. St*rtin* wit* v*rsion *.*.*.* *n* *n*in* wit* v*rsion *.*.*.*, *n *tt**k*r is **l* to inj**t twi* *o** insi** t** ***k o**i** w**n usin* t** l****y l*yout. T** pro*l*m is *ix** in v*rsion *.*.*.*. T**

Reasoning

T** vuln*r**ility st*ms *rom *ow l****y l*youts w*r* pro**ss** in `**tL****yL*yout()`. T** ori*in*l impl*m*nt*tion us** simpl* strin* r*pl***m*nt wit*out prop*r *ont*xt-*w*r* *s**pin*, p*rti*ul*rly *or *****r *n* *oot*r s**tions. T** s**urity p*t** i