Source: smarty3 Version: 3.1.47-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: clone -1 -2 Control: reassign -2 src:smarty4 4.3.0-1 Control: retitle -2 smarty4: CVE-2023-28447: Cross site scripting vulnerability in Javascript escaping
Hi, The following vulnerability was published for smarty. CVE-2023-28447[0]: | Smarty is a template engine for PHP. In affected versions smarty did | not properly escape javascript code. An attacker could exploit this | vulnerability to execute arbitrary JavaScript code in the context of | the user's browser session. This may lead to unauthorized access to | sensitive user data, manipulation of the web application's behavior, | or unauthorized actions performed on behalf of the user. Users are | advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve | this issue. There are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28447 https://www.cve.org/CVERecord?id=CVE-2023-28447 [1] https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj Please adjust the affected versions in the BTS as needed. Regards, Salvatore
