| Package | smarty3 |
|---|---|
| Version | 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u3 (buster) |
| Related CVEs | CVE-2018-25047 CVE-2023-28447 CVE-2024-35226 |
Multiple vulnerabilties were discovered for smarty3, a widely-used PHP templating engine, which potentially allows an attacker to perform an XSS (e.g JavaScript or PHP code injection).
CVE-2018-25047
In Smarty before 3.1.47 and 4.x before 4.2.1,
libs/plugins/function.mailto.php allows XSS. A web page that uses
smarty_function_mailto, and that could be parameterized using GET or
POST input parameters, could allow injection of JavaScript code by a
user.
CVE-2018-25047 had already been reported as fixed previously via DLA-3262-1, however it was found the fix was incomplete.
CVE-2023-28447
In affected versions smarty did not properly escape javascript code.
An attacker could exploit this vulnerability to execute arbitrary
JavaScript code in the context of the user's browser session. This
may lead to unauthorized access to sensitive user data, manipulation
of the web application's behavior, or unauthorized actions performed
on behalf of the user. Users are advised to upgrade to either
version 3.1.48 or to 4.3.1 to resolve this issue. There are no known
workarounds for this vulnerability.
CVE-2024-35226
In affected versions template authors could inject php code by
choosing a malicious file name for an extends-tag. Sites that cannot
fully trust template authors should update asap. All users are
advised to update. There is no patch for users on the v3 branch.
There are no known workarounds for this vulnerability.
For Debian 10 buster, these problems have been fixed in version 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u3.
We recommend that you upgrade your smarty3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.