Cross-site Scripting (XSS) Affecting smarty3 package, versions <3.1.48-1ubuntu0.24.10.1


Severity

Recommended
high

Based on Ubuntu security rating.

Threat Intelligence

EPSS
0.22% (62nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-UBUNTU2410-SMARTY3-8197417
  • published13 Dec 2024
  • disclosed28 Mar 2023

Introduced: 28 Mar 2023

CVE-2023-28447  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade Ubuntu:24.10 smarty3 to version 3.1.48-1ubuntu0.24.10.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream smarty3 package and not the smarty3 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.10 relevant fixed versions and status.

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

CVSS Scores

version 3.1