GHSA-hwq7-5vv9-c6cf
- Source
- https://github.com/advisories/GHSA-hwq7-5vv9-c6cf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-hwq7-5vv9-c6cf/GHSA-hwq7-5vv9-c6cf.json
- Aliases
- Published
- 2022-09-16T00:00:39Z
- Modified
- 2023-11-08T04:00:15.400554Z
- Details
-
In Smarty before 3.1.47 and 4.x before 4.2.1,
libs/plugins/function.mailto.phpallows cross-site scripting. A web page that usessmarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-25047
- https://github.com/smarty-php/smarty/issues/454
- https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9
- https://bugs.gentoo.org/870100
- https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2018-25047.yaml
- https://github.com/smarty-php/smarty
- https://github.com/smarty-php/smarty/releases/tag/v3.1.47
- https://github.com/smarty-php/smarty/releases/tag/v4.2.1
- https://lists.debian.org/debian-lts-announce/2023/01/msg00002.html
- https://security.gentoo.org/glsa/202209-09
Affected packages
Packagist / smarty/smarty
Package
- Name
- smarty/smarty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0The exact introduced commit is unknownFixed3.1.47
Affected versions
v2.*
v2.6.24
v2.6.25
v2.6.26
v2.6.27
v2.6.28
v2.6.29
v2.6.30
v2.6.31
v2.6.33
v3.*
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.20
v3.1.21
v3.1.23
v3.1.24
v3.1.25
v3.1.26
v3.1.27
v3.1.28
v3.1.29
v3.1.30
v3.1.31
v3.1.32
v3.1.33
v3.1.34
v3.1.35
v3.1.36
v3.1.37
v3.1.37.1
v3.1.38
v3.1.39
v3.1.40
v3.1.41
v3.1.42
v3.1.43
v3.1.44
v3.1.45
v3.1.46
Packagist / smarty/smarty
Package
- Name
- smarty/smarty