CVE-2023-28447

Published: Mar 28, 2023Modified: Nov 3, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

Affected (5)

Products: Smarty: Smarty · Fedoraproject: Fedora

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Smarty Smarty	Before 3.1.48
Smarty Smarty	From 4.0.0 to 4.3.1

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 36
Fedoraproject Fedora	Version 37
Fedoraproject Fedora	Version 38

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (11)

https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d

Source: security-advisories@github.com

Patch

https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj

Source: security-advisories@github.com

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT/

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP/

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.