Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 903620 (CVE-2023-28447)

Summary: <dev-php/smarty-4.3.1: XSS vulnerability
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-31 04:10:07 UTC 
CVE-2023-28447:

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

Please bump to 4.3.1.
Comment 1 Larry the Git Cow gentoo-dev 2023-04-04 01:36:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=526704c7f0e3ba66dd5028f1a747e6512029360d

commit 526704c7f0e3ba66dd5028f1a747e6512029360d
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2023-04-04 00:58:51 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2023-04-04 01:34:45 +0000

    dev-php/smarty: add 4.3.1, drop 4.3.0 (fix CVE-2023-28447).
    
    Bug: https://bugs.gentoo.org/903620
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/smarty/Manifest                                    |  2 +-
 .../smarty/{smarty-4.3.0.ebuild => smarty-4.3.1.ebuild}    | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-20 04:05:48 UTC 
Thanks, please cleanup.
Comment 3 Larry the Git Cow gentoo-dev 2023-05-02 22:49:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cbc79e3ae55e88e98cae951dd0d3514c76b7325

commit 6cbc79e3ae55e88e98cae951dd0d3514c76b7325
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2023-05-02 22:45:26 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2023-05-02 22:48:38 +0000

    dev-php/smarty: drop 4.2.1
    
    Bug: https://bugs.gentoo.org/903620
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/smarty/Manifest            |  1 -
 dev-php/smarty/smarty-4.2.1.ebuild | 40 --------------------------------------
 2 files changed, 41 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ad99362e881785bbda7554d0b2fbefcbaa3c499

commit 8ad99362e881785bbda7554d0b2fbefcbaa3c499
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2023-05-02 22:44:52 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2023-05-02 22:48:38 +0000

    dev-php/smarty: stabilize 4.3.1 for ALLARCHES
    
    Bug: https://bugs.gentoo.org/903620
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/smarty/smarty-4.3.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-07 20:20:37 UTC 
XSS only, no GLSA. All done, thanks!