CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41661 – WordPress Smarty for WordPress Plugin <= 3.1.35 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41661
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <= 3.1.35 versions. Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de admin o superiores) almacenada en PressPage Entertainment Inc. Smarty para el complemento WordPress en versiones <= 3.1.35. • https://patchstack.com/database/vulnerability/smarty-for-wordpress/wordpress-smarty-for-wordpress-plugin-3-1-35-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-28447 – Cross site scripting vulnerability in Javascript escaping in smarty/smarty
https://notcve.org/view.php?id=CVE-2023-28447
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. • https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2018-25047
https://notcve.org/view.php?id=CVE-2018-25047
In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user. En Smarty versiones anteriores a 3.1.47 y 4.x anteriores a 4.2.1, el archivo libs/plugins/function.mailto.php permite un ataque de tipo XSS. Una página web que usa smarty_function_mailto, y que pueda ser parametrizada usando parámetros de entrada GET o POST, podría permitir una inyección de código JavaScript por parte de un usuario • https://bugs.gentoo.org/870100 https://github.com/smarty-php/smarty/issues/454 https://github.com/smarty-php/smarty/releases/tag/v3.1.47 https://github.com/smarty-php/smarty/releases/tag/v4.2.1 https://lists.debian.org/debian-lts-announce/2023/01/msg00002.html https://security.gentoo.org/glsa/202209-09 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 1CVE-2022-29221 – PHP Code Injection by malicious block or filename in Smarty
https://notcve.org/view.php?id=CVE-2022-29221
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds. Smarty es un motor de plantillas para PHP, que facilita la separación de la presentación (HTML/CSS) de la lógica de la aplicación. • https://github.com/sbani/CVE-2022-29221-PoC https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd https://github.com/smarty-php/smarty/releases/tag/v3.1.45 https://github.com/smarty-php/smarty/releases/tag/v4.1.1 https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21408 – Access to restricted PHP code by dynamic static class access in smarty
https://notcve.org/view.php?id=CVE-2021-21408
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch. Smarty es un motor de plantillas para PHP que facilita la separación de la presentación (HTML/CSS) de la lógica de la aplicación. Antes de las versiones 3.1.43 y 4.0.3, los autores de plantillas podían ejecutar métodos estáticos restringidos de php. • https://github.com/smarty-php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664 https://github.com/smarty-php/smarty/releases/tag/v3.1.43 https://github.com/smarty-php/smarty/releases/tag/v4.0.3 https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ https://lists.fedoraproject.org/archives/l • CWE-20: Improper Input Validation •