CVE-2014-8350
published 2014-11-03CVE-2014-8350: Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}" in a template.
PriorityP348high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
3.13%
86.2th percentile
Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}" in a template.
Affected
86 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | smarty3 | < smarty3 3.1.21-1 (bookworm) | smarty3 3.1.21-1 (bookworm) |
| smarty | smarty | <= 3.1.20 | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2014-8350: smarty3 - Smarty before 3.1.21 allows remote attackers to bypass the secure mode restricti...
vendor_debian·2014·CVSS 7.5
CVE-2014-8350 [HIGH] CVE-2014-8350: smarty3 - Smarty before 3.1.21 allows remote attackers to bypass the secure mode restricti...
Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}" in a template.
Scope: local
bookworm: resolved (fixed in 3.1.21-1)
bullseye: resolved (fixed in 3.1.21-1)
forky: resolved (fixed in 3.1.21-1)
sid: resolved (fixed in 3.1.21-1)
trixie: resolved (fixed in 3.1.21-1)
GHSA
Smarty arbitrary PHP code execution
ghsa·2022-05-17
CVE-2014-8350 [HIGH] CWE-94 Smarty arbitrary PHP code execution
Smarty arbitrary PHP code execution
Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}" in a template.
OSV
Smarty arbitrary PHP code execution
osv·2022-05-17
CVE-2014-8350 [HIGH] Smarty arbitrary PHP code execution
Smarty arbitrary PHP code execution
Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}" in a template.
OSV
CVE-2014-8350: Smarty before 3
osv·2014-11-03·CVSS 7.5
CVE-2014-8350 [HIGH] CVE-2014-8350: Smarty before 3
Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}" in a template.
No detection rules found.
No public exploits indexed.
http://advisories.mageia.org/MGASA-2014-0468.htmlhttp://seclists.org/oss-sec/2014/q4/420http://seclists.org/oss-sec/2014/q4/421http://www.mandriva.com/security/advisories?name=MDVSA-2014:221http://www.securityfocus.com/bid/70708https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765920https://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt?r=4902https://exchange.xforce.ibmcloud.com/vulnerabilities/97725http://advisories.mageia.org/MGASA-2014-0468.htmlhttp://seclists.org/oss-sec/2014/q4/420http://seclists.org/oss-sec/2014/q4/421http://www.mandriva.com/security/advisories?name=MDVSA-2014:221http://www.securityfocus.com/bid/70708https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765920https://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt?r=4902https://exchange.xforce.ibmcloud.com/vulnerabilities/97725
2014-11-03
Published