Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by “{literal}<{/literal}script language=php>” in a template.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | smarty3 | < 3.1.21-1 | smarty3_3.1.21-1_all.deb |
Debian | 11 | all | smarty3 | < 3.1.21-1 | smarty3_3.1.21-1_all.deb |
Debian | 10 | all | smarty3 | < 3.1.21-1 | smarty3_3.1.21-1_all.deb |
Debian | 999 | all | smarty3 | < 3.1.21-1 | smarty3_3.1.21-1_all.deb |
Debian | 13 | all | smarty3 | < 3.1.21-1 | smarty3_3.1.21-1_all.deb |