Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Smarty
(Smarty)Repositories | https://github.com/smarty-php/smarty |
#Vulnerabilities | 31 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2018-09-18 | CVE-2018-13982 | Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the executed template code to bypass the trusted directory security restriction and read arbitrary files. | Debian_linux, Smarty | 7.5 | ||
2019-11-20 | CVE-2011-1028 | The $smarty.template variable in Smarty3 allows attackers to possibly execute arbitrary PHP code via the sysplugins/smarty_internal_compile_private_special_variable.php file. | Debian_linux, Smarty | N/A | ||
2018-09-11 | CVE-2018-16831 | Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir protection mechanism via a file:./../ substring in an include statement. | Smarty | 5.9 | ||
2018-01-03 | CVE-2017-1000480 | Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name. | Smarty | 9.8 | ||
2014-11-03 | CVE-2014-8350 | Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template. | Smarty | N/A | ||
2012-10-01 | CVE-2012-4437 | Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger a Smarty exception. | Smarty | N/A | ||
2012-08-13 | CVE-2012-4277 | Cross-site scripting (XSS) vulnerability in the smarty_function_html_options_optoutput function in distribution/libs/plugins/function.html_options.php in Smarty before 3.1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | Smarty | N/A | ||
2011-02-03 | CVE-2010-4727 | Smarty before 3.0.0 beta 7 does not properly handle the <?php and ?> tags, which has unspecified impact and remote attack vectors. | Smarty | N/A | ||
2011-02-03 | CVE-2010-4726 | Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unknown impact and remote attack vectors. NOTE: this might overlap CVE-2009-1669. | Smarty | N/A | ||
2011-02-03 | CVE-2010-4725 | Smarty before 3.0.0 RC3 does not properly handle an on value of the asp_tags option in the php.ini file, which has unspecified impact and remote attack vectors. | Smarty | N/A |