Description

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

Related CPE's

a

smarty

smarty

2

o

fedoraproject

fedora

3

References

https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d

Patch

https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj

Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT/

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP/

Mailing ListThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-79

[email protected]

Secondary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.1 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2023-03-28T21:15:11.127

1 year ago

Last modified

2024-02-01T15:19:18.570

5 months ago