Smarty arbitrary PHP code execution

CVE-2014-8350 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template.

Basic information

Type: reviewed
Severity: high
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Browse source ↗
Published (advisory): 2022-05-17 01:13:38 UTC
Updated: 2024-04-24 22:53:35 UTC
GitHub reviewed: 2024-04-24 22:53:34 UTC
NVD published: 2014-11-03 16:55:00 UTC

EPSS Score

Score	Percentile
0.47%	64.52%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-2pmx-6mm6-6v72 ↗
CVE	CVE-2014-8350 ↗

CWEs

CWE id	Name
CWE-94	Improper Control of Generation of Code ('Code Injection')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
composer	smarty/smarty	< 3.1.21	3.1.21	—

References

cvelogic Threat Intelligence