Template authors could run arbitrary PHP code by crafting a malicious math string.
If a math string is passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string.
Please upgrade to 4.0.2 or 3.1.42 or higher.
See documentation on Math function.
If you have any questions or comments about this advisory please open an issue in the Smarty repo
github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-29454.yaml
github.com/smarty-php/smarty
github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71
github.com/smarty-php/smarty/releases/tag/v3.1.42
github.com/smarty-php/smarty/releases/tag/v4.0.2
github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m
lists.debian.org/debian-lts-announce/2022/05/msg00005.html
lists.fedoraproject.org/archives/list/[email protected]/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ
lists.fedoraproject.org/archives/list/[email protected]/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI
nvd.nist.gov/vuln/detail/CVE-2021-29454
packagist.org/packages/smarty/smarty
security.gentoo.org/glsa/202209-09
www.debian.org/security/2022/dsa-5151
www.smarty.net/docs/en/language.function.math.tpl