Vulnerabilities > Smarty > Smarty > 2.3.0

DATE CVE VULNERABILITY TITLE RISK
2023-03-28 CVE-2023-28447 Cross-site Scripting vulnerability in multiple products
Smarty is a template engine for PHP.
network
low complexity
smarty fedoraproject CWE-79
6.1
6.1
2022-09-15 CVE-2018-25047 Cross-site Scripting vulnerability in multiple products
In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS.
network
low complexity
smarty debian CWE-79
5.4
5.4
2022-05-24 CVE-2022-29221 Code Injection vulnerability in multiple products
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
network
low complexity
smarty debian fedoraproject CWE-94
8.8
8.8
2022-01-10 CVE-2021-21408 Improper Input Validation vulnerability in multiple products
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
network
low complexity
smarty debian fedoraproject CWE-20
8.8
8.8
2022-01-10 CVE-2021-29454 Injection vulnerability in multiple products
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
network
low complexity
smarty debian fedoraproject CWE-74
8.8
8.8
2021-02-22 CVE-2021-26120 Code Injection vulnerability in multiple products
Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.
network
low complexity
smarty debian CWE-94
critical
 9.8
9.8
2021-02-22 CVE-2021-26119 Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.
network
low complexity
smarty debian
7.5
7.5
2018-09-18 CVE-2018-13982 Path Traversal vulnerability in multiple products
Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization.
network
low complexity
smarty debian CWE-22
5.0
5.0
2014-11-03 CVE-2014-8350 Code Injection vulnerability in Smarty
Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template.
network
low complexity
smarty CWE-94
7.5
7.5
2012-10-01 CVE-2012-4437 Cross-Site Scripting vulnerability in Smarty
Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger a Smarty exception.
network
smarty CWE-79
4.3
4.3