A vulnerability has been reported in Smarty, which can be exploited by malicious people to conduct cross-site scripting attacks.
Certain input passed via exception messages is not properly sanitised in the "SmartyException" class before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is reported in version 3.1.11. Prior versions may also be affected.
Fixed in the SVN repository.
Cross-site scripting (XSS) vulnerability in the SmartyException class in
Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors that trigger a Smarty
@maintainers: looks like 2.6.27 is not listed as affected. Okay to stable it? (I assume we won't stable 3.1 at this time)
(In reply to Chris Reffett from comment #2)
> @maintainers: looks like 2.6.27 is not listed as affected. Okay to stable
> it? (I assume we won't stable 3.1 at this time)
Sorry for the late response. Yep. You can stabilise it
Arches, please test and mark stable:
Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Actually, hold off, we will probably be masking 2.6 and stabilizing 3.x. Will sort this all out tonight when I'm at my dev box.
After discussion with maintainers, we will be stabilizing 3.1.12 and pmasking 2.6.x. Arches, please test and stabilize:
Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
(In reply to Agostino Sarubbo from comment #9)
> x86 stable
Did this commit get lost somehow? I still see,
KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc ~x86"
x86 was not stabled for smarty-3.1.12, fix please.
(In reply to Chris Reffett from comment #16)
> x86 was not stabled for smarty-3.1.12, fix please.
Thanks for your work.
GLSA vote: no
GLSA vote: no, closing noglsa.
Maintainer(s), please drop the vulnerable version.
*** Bug 481780 has been marked as a duplicate of this bug. ***
2.6.28 is not affected and we ended up not removing 2.* because it had fixes backported for a different bug. Closing noglsa.