cbcvebase.
CVE-2022-29221
published 2022-05-24

CVE-2022-29221: PHP Code Injection by malicious block or filename in Smarty Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from…

high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.54%
90.4th percentile
PHP Code Injection by malicious block or filename in Smarty Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.

Affected

7 ranges
VendorProductVersion rangeFixed in
postfixadminpostfixadmin>= 0 < 3.0.2-2ubuntu0.1~esm13.0.2-2ubuntu0.1~esm1
postfixadminpostfixadmin>= 0 < 3.2.1-3ubuntu0.1~esm13.2.1-3ubuntu0.1~esm1
postfixadminpostfixadmin>= 0 < 3.3.10-2ubuntu0.1~esm13.3.10-2ubuntu0.1~esm1
smarty-phpsmarty< 3.1.453.1.45
smarty-phpsmarty
smartysmarty>= 0 < 3.1.453.1.45
smartysmarty>= 4.0.0 < 4.1.14.1.1

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
cvelistv58.8HIGH
osv8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.