CVE-2023-28447: Cross site scripting vulnerability in Javascript escaping in smarty/smarty
First published: Tue Mar 28 2023(Updated: )
### Impact An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. ### Patches Please upgrade to the most recent version of Smarty v3 or v4. ### For more information If you have any questions or comments about this advisory please open an issue in [the Smarty repo](https://github.com/smarty-php/smarty)
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/smarty/smarty | <3.1.48>=4.0.0<4.1.1 | |
| Smarty Smarty | <3.1.48 | |
| Smarty Smarty | >=4.0.0<4.3.1 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| composer/smarty/smarty | <3.1.48 | 3.1.48 |
| composer/smarty/smarty | >=4.0.0<4.3.1 | 4.3.1 |
| debian/smarty3 | <=3.1.39-2+deb11u1<=3.1.47-2 | 3.1.39-2+deb11u2 3.1.47-2+deb12u1 3.1.48-2 |
| debian/smarty4 | 4.3.0-1+deb12u1 4.3.0-1+deb12u2 4.5.4-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
- https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP/
- https://launchpad.net/bugs/cve/CVE-2023-28447
- https://nvd.nist.gov/vuln/detail/CVE-2023-28447
- https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml
- https://github.com/advisories/GHSA-7j98-h7fp-4vwj (Advisory)
- https://github.com/smarty-php/smarty/commit/e75165565e9e5956a73365c24d650ba40570ae72
- https://github.com/smarty-php/smarty/commit/7677db7bc9a1dcfcad1435fc9d3bac3f295ca3ad
- https://security-tracker.debian.org/tracker/CVE-2023-28447
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447
- https://ubuntu.com/security/CVE-2023-28447
- collector/friends-of-php
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/weakness
- agent/remedy
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7j98-h7fp-4vwj
- alias/CVE-2023-28447
- agent/severity
- agent/description
- collector/nvd-cve
- collector/github-advisory
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/event
- agent/tags
- collector/usn-cve
- source/Ubuntu
- package-manager/composer
- vendor/smarty
- canonical/smarty smarty
- version/smarty smarty/4.0.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/debian