CVE-2021-23803: 
PHP vulnerability analysis and mitigation

The vulnerability CVE-2021-23803 affects the latte/latte package versions before 2.10.6. The vulnerability was discovered and disclosed in December 2021. It involves a security bypass in the template engine's function restriction mechanism (Debian Security, CVE Mitre).

The vulnerability allows attackers to bypass the allowFunctions security feature by adding control characters (x00-x08) after the function name in the template. When the template is configured to allow or disallow specific functions, these restrictions can be circumvented by inserting control characters after the function name, potentially leading to unauthorized function execution (GitHub Issue).

The vulnerability could allow attackers to execute unauthorized functions within the template engine, potentially leading to security breaches in applications using the affected versions of latte/latte. This bypass could enable attackers to execute system functions that were explicitly forbidden by the security policy (GitHub Issue).

The vulnerability was fixed in version 2.10.6 of latte/latte. The fix involves removing all control characters from templates and implementing more rigorous function validation. A patch was implemented that triggers a warning when control characters are detected and removes them from the template (GitHub Commit).