Lucene search

K

GoogleOSV:CVE-2018-25047

HistorySep 15, 2022 - 12:15 a.m.

CVE-2018-25047

2022-09-1500:15:09

Google

osv.dev

12

smarty

xss

vulnerability

version 3.1.47

version 4.x

injection

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

7.1

Confidence

Low

EPSS

0.002

Percentile

54.2%

In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.

References

bugs.gentoo.org/870100

github.com/smarty-php/smarty/issues/454

github.com/smarty-php/smarty/releases/tag/v3.1.47

github.com/smarty-php/smarty/releases/tag/v4.2.1

lists.debian.org/debian-lts-announce/2023/01/msg00002.html

security.gentoo.org/glsa/202209-09

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

7.1

Confidence

Low

EPSS

0.002

Percentile

54.2%

Related for OSV:CVE-2018-25047

ubuntucve1 debiancve1 prion1 openvas2 nessus2 friendsofphp1 cve1 nvd1 debian1 cvelist1 mageia1 veracode1 osv2 github1 gentoo1