5 steps to resolve the critical issue [MDVA-43395]

MDVA-43395_EE.md

1. Install cweagans patch

composer require cweagans/composer-patches

2. add file patch/magento/framework/<your_magento_release_version>-MDVA-43395_EE_v1.patch

--- a/vendor/magento/framework/Filter/DirectiveProcessor/VarDirective.php
+++ b/vendor/magento/framework/Filter/DirectiveProcessor/VarDirective.php
@@ -55,6 +55,11 @@ public function process(array $construction, Template $filter, array $templateVa
             $result = $this->filterApplier->applyFromRawParam($construction['filters'], $result);
         }

+        $pattern = '/{{.*?}}/';
+        do {
+            $result = preg_replace($pattern, '', (string)$result);
+        } while (preg_match($pattern, $result));
+
         return $result;
     }

3. add file patch/magento/email/<your_magento_release_version>-MDVA-43395_EE_v1.patch

--- a/vendor/magento/module-email/Model/Template/Filter.php
+++ b/vendor/magento/module-email/Model/Template/Filter.php
@@ -605,6 +605,12 @@ class Filter extends \Magento\Framework\Filter\Template
         }

         $text = __($text, $params)->render();
+
+        $pattern = '/{{.*?}}/';
+        do {
+            $text = preg_replace($pattern, '', (string)$text);
+        } while (preg_match($pattern, $text));
+
         return $this->applyModifiers($text, $modifiers);
     }

4. adapt composer.json

"extra": {
    "magento-force": "override",
    "composer-exit-on-patch-failure": true,
    "patches": {
        "magento/framework": {
            "MDVA-43395_EE_v1": "patch/magento/framework/<your_magento_release_version>-MDVA-43395_EE_v1.patch"
        },
        "magento/module-email": {
            "MDVA-43395_EE_v1": "patch/magento/email/<your_magento_release_version>-MDVA-43395_EE_v1.patch"
        }
    }
},

5. run

composer install
git add .
git commit -m "[MDVA-43395] apply security patch"