Lucene search

[email protected]NVD:CVE-2023-28447

HistoryMar 28, 2023 - 9:15 p.m.

CVE-2023-28447

2023-03-2821:15:11

CWE-79

[email protected]

web.nvd.nist.gov

smarty

php

remote attackers

arbitrary javascript code

user's browser session

unauthorized access

sensitive user data

web application

unauthorized actions

upgrade

vulnerability

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.3

Confidence

High

EPSS

0.002

Percentile

52.7%

JSON

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user’s browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application’s behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Node

smartysmartyRange<3.1.48

smartysmartyRange4.0.0–4.3.1

Node

fedoraprojectfedoraMatch36

fedoraprojectfedoraMatch37

fedoraprojectfedoraMatch38

VendorProductVersionCPE
smartysmarty*cpe:2.3:a:smarty:smarty:*:*:*:*:*:*:*:*
fedoraprojectfedora36cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
fedoraprojectfedora37cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
fedoraprojectfedora38cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
smarty	smarty	*	cpe:2.3:a:smarty:smarty::::::::
fedoraproject	fedora	36	cpe:2.3:o:fedoraproject:fedora:36:::::::*
fedoraproject	fedora	37	cpe:2.3:o:fedoraproject:fedora:37:::::::*
fedoraproject	fedora	38	cpe:2.3:o:fedoraproject:fedora:38:::::::*