Vulnerable Library - smarty/smarty-v4.2.0
Smarty - the compiling PHP template engine
Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/97aeb14c6fc2fb733938809926e2f9d6c581a70d
Vulnerabilities
| Vulnerability |
Severity |
CVSS |
Dependency |
Type |
Fixed in (smarty/smarty-v4.2.0 version) |
Remediation Possible** |
| CVE-2024-35226 |
High |
7.3 |
smarty/smarty-v4.2.0 |
Direct |
smarty/smarty - v4.5.3 |
❌ |
| CVE-2023-28447 |
High |
7.1 |
smarty/smarty-v4.2.0 |
Direct |
smarty/smarty - v4.3.1,smarty/smarty - v3.1.48 |
❌ |
| CVE-2018-25047 |
Medium |
5.4 |
smarty/smarty-v4.2.0 |
Direct |
smarty/smarty - v3.1.47,smarty/smarty - v4.2.1 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-35226
Vulnerable Library - smarty/smarty-v4.2.0
Smarty - the compiling PHP template engine
Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/97aeb14c6fc2fb733938809926e2f9d6c581a70d
Dependency Hierarchy:
- ❌ smarty/smarty-v4.2.0 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
Publish Date: 2024-05-28
URL: CVE-2024-35226
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4rmg-292m-wg3w
Release Date: 2024-05-28
Fix Resolution: smarty/smarty - v4.5.3
Step up your Open Source Security Game with Mend here
CVE-2023-28447
Vulnerable Library - smarty/smarty-v4.2.0
Smarty - the compiling PHP template engine
Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/97aeb14c6fc2fb733938809926e2f9d6c581a70d
Dependency Hierarchy:
- ❌ smarty/smarty-v4.2.0 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.
Publish Date: 2023-03-28
URL: CVE-2023-28447
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7j98-h7fp-4vwj
Release Date: 2023-03-28
Fix Resolution: smarty/smarty - v4.3.1,smarty/smarty - v3.1.48
Step up your Open Source Security Game with Mend here
CVE-2018-25047
Vulnerable Library - smarty/smarty-v4.2.0
Smarty - the compiling PHP template engine
Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/97aeb14c6fc2fb733938809926e2f9d6c581a70d
Dependency Hierarchy:
- ❌ smarty/smarty-v4.2.0 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.
Publish Date: 2022-09-14
URL: CVE-2018-25047
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hwq7-5vv9-c6cf
Release Date: 2022-09-14
Fix Resolution: smarty/smarty - v3.1.47,smarty/smarty - v4.2.1
Step up your Open Source Security Game with Mend here
Smarty - the compiling PHP template engine
Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/97aeb14c6fc2fb733938809926e2f9d6c581a70d
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - smarty/smarty-v4.2.0
Smarty - the compiling PHP template engine
Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/97aeb14c6fc2fb733938809926e2f9d6c581a70d
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
Publish Date: 2024-05-28
URL: CVE-2024-35226
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4rmg-292m-wg3w
Release Date: 2024-05-28
Fix Resolution: smarty/smarty - v4.5.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - smarty/smarty-v4.2.0
Smarty - the compiling PHP template engine
Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/97aeb14c6fc2fb733938809926e2f9d6c581a70d
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.
Publish Date: 2023-03-28
URL: CVE-2023-28447
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7j98-h7fp-4vwj
Release Date: 2023-03-28
Fix Resolution: smarty/smarty - v4.3.1,smarty/smarty - v3.1.48
Step up your Open Source Security Game with Mend here
Vulnerable Library - smarty/smarty-v4.2.0
Smarty - the compiling PHP template engine
Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/97aeb14c6fc2fb733938809926e2f9d6c581a70d
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.
Publish Date: 2022-09-14
URL: CVE-2018-25047
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hwq7-5vv9-c6cf
Release Date: 2022-09-14
Fix Resolution: smarty/smarty - v3.1.47,smarty/smarty - v4.2.1
Step up your Open Source Security Game with Mend here