CVE-2022-29221
published 2022-05-24CVE-2022-29221: PHP Code Injection by malicious block or filename in Smarty Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.54%
90.4th percentile
PHP Code Injection by malicious block or filename in Smarty
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| postfixadmin | postfixadmin | >= 0 < 3.0.2-2ubuntu0.1~esm1 | 3.0.2-2ubuntu0.1~esm1 |
| postfixadmin | postfixadmin | >= 0 < 3.2.1-3ubuntu0.1~esm1 | 3.2.1-3ubuntu0.1~esm1 |
| postfixadmin | postfixadmin | >= 0 < 3.3.10-2ubuntu0.1~esm1 | 3.3.10-2ubuntu0.1~esm1 |
| smarty-php | smarty | < 3.1.45 | 3.1.45 |
| smarty-php | smarty | — | — |
| smarty | smarty | >= 0 < 3.1.45 | 3.1.45 |
| smarty | smarty | >= 4.0.0 < 4.1.1 | 4.1.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
cvelistv58.8HIGH
osv8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
postfixadmin vulnerabilities
osv·2023-12-12·CVSS 8.8
CVE-2022-29221 [HIGH] postfixadmin vulnerabilities
postfixadmin vulnerabilities
It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly sanitizing user input when generating templates. An
attacker could, through PHP injection, possibly use this issue to execute
arbitrary code. (CVE-2022-29221)
It was discovered that Moment.js, that is integrated in the PostfixAdmin
code, was using an inefficient parsing algorithm when processing date
strings in the RFC 2822 standard. An attacker could possibly use this
issue to cause a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2022-31129)
It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly escaping JavaScript code. An attacker could
possibly use this issue to conduct cross-site scripting attacks (XSS).
OSV
smarty3 vulnerability
osv·2023-04-13·CVSS 8.8
CVE-2022-29221 [HIGH] smarty3 vulnerability
smarty3 vulnerability
It was discovered that Smarty incorrectly parsed blocks' names and
included files' names. A remote attacker with template writing permissions
could use this issue to execute arbitrary PHP code. (CVE-2022-29221)
OSV
PHP Code Injection by malicious block or filename in Smarty
osv·2022-05-25
CVE-2022-29221 [HIGH] PHP Code Injection by malicious block or filename in Smarty
PHP Code Injection by malicious block or filename in Smarty
### Impact
Template authors could inject php code by choosing a malicous {block} name or {include} file name. Sites that cannot fully trust template authors should update asap.
### Patches
Please upgrade to the most recent version of Smarty v3 or v4.
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
### References
_Are there any links users can visit to find out more?_
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Smarty repo](https://github.com/smarty-php/smarty)
GHSA
PHP Code Injection by malicious block or filename in Smarty
ghsa·2022-05-25
CVE-2022-29221 [HIGH] CWE-94 PHP Code Injection by malicious block or filename in Smarty
PHP Code Injection by malicious block or filename in Smarty
### Impact
Template authors could inject php code by choosing a malicous {block} name or {include} file name. Sites that cannot fully trust template authors should update asap.
### Patches
Please upgrade to the most recent version of Smarty v3 or v4.
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
### References
_Are there any links users can visit to find out more?_
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Smarty repo](https://github.com/smarty-php/smarty)
CVEList
PHP Code Injection by malicious block or filename in Smarty
cvelistv5·2022-05-24·CVSS 8.8
CVE-2022-29221 [HIGH] CWE-94 PHP Code Injection by malicious block or filename in Smarty
PHP Code Injection by malicious block or filename in Smarty
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.
Ubuntu
PostfixAdmin vulnerabilities
vendor_ubuntu·2023-12-12·CVSS 8.8
CVE-2022-31129 [HIGH] PostfixAdmin vulnerabilities
Title: PostfixAdmin vulnerabilities
Summary: Several security issues were fixed in PostfixAdmin.
It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly sanitizing user input when generating templates. An
attacker could, through PHP injection, possibly use this issue to execute
arbitrary code. (CVE-2022-29221)
It was discovered that Moment.js, that is integrated in the PostfixAdmin
code, was using an inefficient parsing algorithm when processing date
strings in the RFC 2822 standard. An attacker could possibly use this
issue to cause a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2022-31129)
It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly escaping JavaScript code. An attacker could
p
Ubuntu
Smarty vulnerability
vendor_ubuntu·2023-04-13·CVSS 8.8
CVE-2022-29221 [HIGH] Smarty vulnerability
Title: Smarty vulnerability
Summary: Smarty could be made to crash or run programs if it received a specially
crafted template.
It was discovered that Smarty incorrectly parsed blocks' names and
included files' names. A remote attacker with template writing permissions
could use this issue to execute arbitrary PHP code. (CVE-2022-29221)
Instructions: In general, a standard system update will make all the necessary changes.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-05-24
Published