26 results (0.040 seconds)

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <= 3.1.35 versions. Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de admin o superiores) almacenada en PressPage Entertainment Inc. Smarty para el complemento WordPress en versiones &lt;= 3.1.35. • https://patchstack.com/database/vulnerability/smarty-for-wordpress/wordpress-smarty-for-wordpress-plugin-3-1-35-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. • https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1

In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user. En Smarty versiones anteriores a 3.1.47 y 4.x anteriores a 4.2.1, el archivo libs/plugins/function.mailto.php permite un ataque de tipo XSS. Una página web que usa smarty_function_mailto, y que pueda ser parametrizada usando parámetros de entrada GET o POST, podría permitir una inyección de código JavaScript por parte de un usuario • https://bugs.gentoo.org/870100 https://github.com/smarty-php/smarty/issues/454 https://github.com/smarty-php/smarty/releases/tag/v3.1.47 https://github.com/smarty-php/smarty/releases/tag/v4.2.1 https://lists.debian.org/debian-lts-announce/2023/01/msg00002.html https://security.gentoo.org/glsa/202209-09 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 1

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds. Smarty es un motor de plantillas para PHP, que facilita la separación de la presentación (HTML/CSS) de la lógica de la aplicación. • https://github.com/sbani/CVE-2022-29221-PoC https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd https://github.com/smarty-php/smarty/releases/tag/v3.1.45 https://github.com/smarty-php/smarty/releases/tag/v4.1.1 https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch. Smarty es un motor de plantillas para PHP que facilita la separación de la presentación (HTML/CSS) de la lógica de la aplicación. • https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71 https://github.com/smarty-php/smarty/releases/tag/v3.1.42 https://github.com/smarty-php/smarty/releases/tag/v4.0.2 https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ https://lists.fedoraproject.org/archives/l • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •