CVE-2023-28447 — Cross-site Scripting in Smarty

CWE-79 — Cross-site Scripting9 documents5 sources

Severity

6.1MEDIUMNVD

OSV8.8OSV5.4

EPSS

0.7%

top 27.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Smarty-php Smarty Smarty Postfixadmin +3 more

Timeline

PublishedMar 28

Latest updateDec 12

Description

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are n…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages6 packages

▶NVDsmarty/smarty4.0.0 — 4.3.1+1

▶Packagistsmarty/smarty4.0.0 — 4.3.1+1

▶debiandebian/smarty3< smarty3 3.1.47-2+deb12u1 (bookworm)

▶debiandebian/smarty4< smarty3 3.1.47-2+deb12u1 (bookworm)

▶CVEListV5smarty-php/smarty< 3.1.48+1

Also affects: Fedora 36, 37, 38

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

smarty3 vulnerabilities↗2024-12-12

▶

OSV

postfixadmin vulnerabilities↗2023-12-12

▶

GHSA

smarty Cross-site Scripting vulnerability in Javascript escaping↗2023-03-29

▶

OSV

smarty Cross-site Scripting vulnerability in Javascript escaping↗2023-03-29

▶

OSV

CVE-2023-28447: Smarty is a template engine for PHP↗2023-03-28

▶

📋Vendor Advisories

Ubuntu

Smarty vulnerabilities↗2024-12-12

▶

Ubuntu

PostfixAdmin vulnerabilities↗2023-12-12

▶

Debian

CVE-2023-28447: smarty3 - Smarty is a template engine for PHP. In affected versions smarty did not properl...↗2023

▶