Lucene search

Gentoo FoundationMGASA-2023-0014

HistoryJan 24, 2023 - 10:58 a.m.

Updated php-smarty packages fix security vulnerability

2023-01-2410:58:24

Gentoo Foundation

advisories.mageia.org

php-smarty packages

security vulnerability

cross-site scripting

smarty3

php templating engine

xss

injection of javascript

cve-2018-25047

unix

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

54.2%

JSON

It was discovered that there was a potential cross-site scripting vulnerability in smarty3, a widely-used PHP templating engine. In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user. (CVE-2018-25047)

OSVersionArchitecturePackageVersionFilename
Mageia8noarchphp-smarty< 4.2.1-1php-smarty-4.2.1-1.mga8

OS	Version	Architecture	Package	Version	Filename
Mageia	8	noarch	php-smarty	< 4.2.1-1	php-smarty-4.2.1-1.mga8

References

bugs.mageia.org/show_bug.cgi?id=31387

github.com/smarty-php/smarty/releases/tag/v4.2.1

www.debian.org/lts/security/2023/dla-3262