CVE-2021-21408 — Improper Input Validation in Smarty

CWE-20 — Improper Input Validation9 documents4 sources

Severity

8.8HIGHCNA

OSV7.5

No vector

EPSS

0.5%

top 35.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Smarty-php Smarty Smarty

Timeline

PublishedJan 10

Latest updateJun 21

Description

Access to restricted PHP code by dynamic static class access in smarty Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.

Affected Packages2 packages

▶Packagistsmarty/smarty4.0.0 — 4.0.3+1

▶CVEListV5smarty-php/smarty< 3.1.43+1

🔴Vulnerability Details

OSV

smarty3 vulnerabilities↗2022-06-21

▶

OSV

smarty3 vulnerabilities↗2022-03-28

▶

OSV

smarty3 vulnerabilities↗2022-03-28

▶

OSV

Access to restricted PHP code by dynamic static class access in smarty↗2022-01-12

▶

GHSA

Access to restricted PHP code by dynamic static class access in smarty↗2022-01-12

▶

📋Vendor Advisories

Ubuntu

Smarty vulnerabilities↗2022-06-21

▶

Ubuntu

Smarty vulnerabilities↗2022-03-28

▶

Ubuntu

Smarty vulnerabilities↗2022-03-28

▶