Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2023-28447

Опубликовано: 28 мар. 2023
Источник: debian
EPSS Низкий

Описание

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
smarty3fixed3.1.48-1package
smarty3no-dsabusterpackage
smarty4fixed4.3.1-1package
smarty4fixed4.3.0-1+deb12u1bookwormpackage

Примечания

  • https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj

  • https://github.com/smarty-php/smarty/commit/e75165565e9e5956a73365c24d650ba40570ae72 (v4.3.1)

  • https://github.com/smarty-php/smarty/commit/7677db7bc9a1dcfcad1435fc9d3bac3f295ca3ad (v3.1.48)

EPSS

Процентиль: 69%
0.00615
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2023-28447

CVSS3: 7.1
ubuntu
почти 3 года назад

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

nvd логотип

CVE-2023-28447

CVSS3: 7.1
nvd
почти 3 года назад

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

github логотип

GHSA-7j98-h7fp-4vwj

CVSS3: 7.1
github
почти 3 года назад

smarty Cross-site Scripting vulnerability in Javascript escaping

EPSS

Процентиль: 69%
0.00615
Низкий