CVE-2021-41170: 
PHP vulnerability analysis and mitigation

The vulnerability (CVE-2021-41170) affects neoan3-template versions prior to 1.1.1, where the template engine allowed direct injection of closures. The issue was discovered and disclosed on November 8, 2021. The vulnerability arises when a value has the same name as a method or function in scope, which can be executed either accidentally or maliciously through the template engine (GitHub Advisory).

The vulnerability occurs in the template evaluation process where closures are evaluated based on whether a value is callable within the current scope. This implementation allows values that are callable to be executed by the template engine. The issue affects scenarios where the application deals with direct user input or database values, making it particularly concerning for applications that process untrusted data (GitHub Issue). The vulnerability has been assigned a CVSS score of 7.5, indicating a high severity level (CISA Bulletin).

The vulnerability enables a potential multi-step attack where an attacker could store particular values into the database that are known to be eventually rendered by the template engine. If the value of a key happens to be callable, it could lead to the execution of global or local functions and methods. This affects all users of the package who handle direct user input or database values (GitHub Advisory).

The vulnerability has been patched in version 1.1.1 of the package. The fix prevents direct injection of closures into the template engine and requires explicit registration of closures using TemplateFunctions::registerClosure(). For versions prior to 1.1.1, the only workaround is to use hardcoded values, though this significantly limits the template engine's functionality. Users are strongly recommended to upgrade to version 1.1.1 or later (GitHub Advisory).