Lucene search

[email protected]NVD:CVE-2018-25047

HistorySep 15, 2022 - 12:15 a.m.

CVE-2018-25047

2022-09-1500:15:09

CWE-79

[email protected]

web.nvd.nist.gov

smarty

xss

vulnerability

parameterized input

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

54.2%

JSON

In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.

Affected configurations

Nvd

Node

smartysmartyRange<3.1.47

smartysmartyRange4.0.0–4.2.1

Node

debiandebian_linuxMatch10.0

VendorProductVersionCPE
smartysmarty*cpe:2.3:a:smarty:smarty:*:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
smarty	smarty	*	cpe:2.3:a:smarty:smarty::::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*

References

bugs.gentoo.org/870100

github.com/smarty-php/smarty/issues/454

github.com/smarty-php/smarty/releases/tag/v3.1.47

github.com/smarty-php/smarty/releases/tag/v4.2.1

lists.debian.org/debian-lts-announce/2023/01/msg00002.html

security.gentoo.org/glsa/202209-09