Security Advisories - smarty/smarty

smarty/smarty Security Advisories for v2.6.28 (13)

[HIGH] Cross site scripting vulnerability in Javascript escaping

PKSA-2q9d-8kh9-49wx CVE-2023-28447 GHSA-7j98-h7fp-4vwj

Affected version: <3.1.48|>=4.0.0,<4.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] smarty_function_mailto - JavaScript injection in eval function

PKSA-pght-23ww-rrdy CVE-2018-25047 GHSA-hwq7-5vv9-c6cf

Affected version: <3.1.47|>=4.0.0,<4.2.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] PHP Code Injection by malicious block or filename

PKSA-6y8p-nrf4-ysf5 CVE-2022-29221 GHSA-634x-pc3q-cf4c

Affected version: <3.1.45|>=4.0.0,<4.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Cross-site Scripting in SmartyException

PKSA-yr6f-z9sx-cps3 CVE-2012-4437 GHSA-9gqj-ppv2-f2hq

Affected version: <3.1.12

Reported by:
GitHub
[HIGH] Smarty arbitrary PHP code execution

PKSA-28zg-9h7g-fhvp CVE-2014-8350 GHSA-2pmx-6mm6-6v72

Affected version: <3.1.21

Reported by:
GitHub
[MEDIUM] Smarty Does Not Consider Umask Values When Setting Permissions

PKSA-54c6-f9b9-7wg4 CVE-2009-5054 GHSA-6m9f-8vwq-97pm

Affected version: <3.0.0-beta4

Reported by:
GitHub
[CRITICAL] Smarty3 Arbitrary PHP Code Execution

PKSA-wy1k-8qg5-z8xd CVE-2011-1028 GHSA-6frx-2r5w-c524

Affected version: <3.0.7

Reported by:
GitHub
[HIGH] Access to restricted PHP code by dynamic static class access

PKSA-31hv-m6rg-8ryk CVE-2021-21408 GHSA-4h9c-v5vg-5m6m

Affected version: <3.1.43|>=4.0.0,<4.0.3

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Sandbox Escape by math function

PKSA-98zc-53yc-qt81 CVE-2021-29454 GHSA-29gp-2c3m-3j6m

Affected version: <3.1.42|>=4.0.0,<4.0.2

Reported by:
GitHub, FriendsOfPHP/security-advisories
[CRITICAL] Smarty_Internal_Runtime_TplFunction Sandbox Escape PHP Code Injection

PKSA-t4kv-1sv2-1mzx CVE-2021-26120 GHSA-3rpf-5rqv-689q

Affected version: <=3.1.38

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] template_object Sandbox Escape PHP Code Injection

PKSA-wc9h-gs49-76tm CVE-2021-26119 GHSA-w5hr-jm4j-9jvq

Affected version: <=3.1.38

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Trusted-Directory Bypass via Path Traversal

PKSA-hgp5-21g7-7phg CVE-2018-13982 GHSA-7gfx-wxfh-7rvm

Affected version: <3.1.33

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Trusted-Directory Bypass via Path Traversal

PKSA-thph-wfk6-pp4j CVE-2018-16831 GHSA-65j5-vpm7-6xp4

Affected version: <3.1.33

Reported by:
GitHub, FriendsOfPHP/security-advisories

smarty/smarty Security Advisories for v2.6.28 (13)

[HIGH] Cross site scripting vulnerability in Javascript escaping

[MEDIUM] smarty_function_mailto - JavaScript injection in eval function

[HIGH] PHP Code Injection by malicious block or filename

[MEDIUM] Cross-site Scripting in SmartyException

[HIGH] Smarty arbitrary PHP code execution

[MEDIUM] Smarty Does Not Consider Umask Values When Setting Permissions

[CRITICAL] Smarty3 Arbitrary PHP Code Execution

[HIGH] Access to restricted PHP code by dynamic static class access

[HIGH] Sandbox Escape by math function

[CRITICAL] Smarty_Internal_Runtime_TplFunction Sandbox Escape PHP Code Injection

[HIGH] template_object Sandbox Escape PHP Code Injection

[HIGH] Trusted-Directory Bypass via Path Traversal

[MEDIUM] Trusted-Directory Bypass via Path Traversal