Lucene search

Gentoo FoundationMGASA-2014-0468

HistoryNov 21, 2014 - 3:44 p.m.

Updated php-smarty packages fix security vulnerabilities

2014-11-2115:44:16

Gentoo Foundation

advisories.mageia.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.048 Low

EPSS

Percentile

92.7%

JSON

Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger a Smarty exception (CVE-2012-4437). Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by “{literal}<{/literal}script language=php>” in a template (CVE-2014-8350).

OSVersionArchitecturePackageVersionFilename
Mageia3noarchphp-smarty< 3.1.21-1php-smarty-3.1.21-1.mga3

OS	Version	Architecture	Package	Version	Filename
Mageia	3	noarch	php-smarty	< 3.1.21-1	php-smarty-3.1.21-1.mga3

References

bugs.mageia.org/show_bug.cgi?id=14465

lists.fedoraproject.org/pipermail/package-announce/2014-November/142696.html

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.048 Low

EPSS

Percentile

92.7%

JSON

Related for MGASA-2014-0468