GHSA-hwq7-5vv9-c6cf, CVE-2018-25047
packagist/smarty/smarty
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smartyfunctionmailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.
All versions before 3.1.47, all versions starting from 4.0.0 before 4.2.1
Upgrade to versions 3.1.47, 4.2.1 or above.
2022-09-19
source |