CVE-2018-25047

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/smarty/smarty

Identifiers

GHSA-hwq7-5vv9-c6cf, CVE-2018-25047

Package Slug

packagist/smarty/smarty

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smartyfunctionmailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.

Affected Versions

All versions before 3.1.47, all versions starting from 4.0.0 before 4.2.1

Solution

Upgrade to versions 3.1.47, 4.2.1 or above.

Last Modified

2022-09-19

source