CVE-2023-28447: Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability. Please bump to 4.3.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=526704c7f0e3ba66dd5028f1a747e6512029360d commit 526704c7f0e3ba66dd5028f1a747e6512029360d Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2023-04-04 00:58:51 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2023-04-04 01:34:45 +0000 dev-php/smarty: add 4.3.1, drop 4.3.0 (fix CVE-2023-28447). Bug: https://bugs.gentoo.org/903620 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> dev-php/smarty/Manifest | 2 +- .../smarty/{smarty-4.3.0.ebuild => smarty-4.3.1.ebuild} | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-)
Thanks, please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cbc79e3ae55e88e98cae951dd0d3514c76b7325 commit 6cbc79e3ae55e88e98cae951dd0d3514c76b7325 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2023-05-02 22:45:26 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2023-05-02 22:48:38 +0000 dev-php/smarty: drop 4.2.1 Bug: https://bugs.gentoo.org/903620 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> dev-php/smarty/Manifest | 1 - dev-php/smarty/smarty-4.2.1.ebuild | 40 -------------------------------------- 2 files changed, 41 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ad99362e881785bbda7554d0b2fbefcbaa3c499 commit 8ad99362e881785bbda7554d0b2fbefcbaa3c499 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2023-05-02 22:44:52 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2023-05-02 22:48:38 +0000 dev-php/smarty: stabilize 4.3.1 for ALLARCHES Bug: https://bugs.gentoo.org/903620 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> dev-php/smarty/smarty-4.3.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
XSS only, no GLSA. All done, thanks!