Search for packages
| purl | pkg:composer/smarty/smarty@3.1.21 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1vrk-mr94-huar
Aliases: CVE-2018-25047 GHSA-hwq7-5vv9-c6cf |
Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-3mxe-phrs-j7d1
Aliases: CVE-2021-21408 GHSA-4h9c-v5vg-5m6m |
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch. |
Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-85qb-yjs9-4kc8
Aliases: CVE-2018-16831 GHSA-65j5-vpm7-6xp4 |
Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir protection mechanism via a file:./../ substring in an include statement. |
Affected by 9 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-bcsf-ygsf-gkf8
Aliases: CVE-2021-26120 GHSA-3rpf-5rqv-689q |
Multiple vulnerabilities in the Smarty template engine might allow remote attackers to execute arbitrary PHP code. |
Affected by 6 other vulnerabilities. |
|
VCID-g4mk-4raf-a3bj
Aliases: CVE-2021-29454 GHSA-29gp-2c3m-3j6m |
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-j99h-vc6w-hyd5
Aliases: CVE-2017-1000480 GHSA-9m49-vhwv-422g |
security update |
Affected by 11 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-ke5v-yxmm-fydq
Aliases: CVE-2022-29221 GHSA-634x-pc3q-cf4c |
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-q28h-yy5c-6qgk
Aliases: CVE-2021-26119 GHSA-w5hr-jm4j-9jvq |
Multiple vulnerabilities in the Smarty template engine might allow remote attackers to execute arbitrary PHP code. |
Affected by 6 other vulnerabilities. |
|
VCID-u5f6-hy8m-5qd6
Aliases: CVE-2023-41661 |
Affected by 8 other vulnerabilities. |
|
|
VCID-ukne-sz3k-xkhf
Aliases: CVE-2023-28447 GHSA-7j98-h7fp-4vwj |
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-vtgu-facr-b7a2
Aliases: CVE-2018-13982 GHSA-7gfx-wxfh-7rvm |
Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the executed template code to bypass the trusted directory security restriction and read arbitrary files. |
Affected by 9 other vulnerabilities. |
|
VCID-yvk2-k49u-1bat
Aliases: CVE-2024-35226 GHSA-4rmg-292m-wg3w |
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-jjju-kned-ufhr | Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template. |
CVE-2014-8350
GHSA-2pmx-6mm6-6v72 |