Source: smarty3 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for smarty3. CVE-2024-35226[0]: | Smarty is a template engine for PHP, facilitating the separation of | presentation (HTML/CSS) from application logic. In affected versions | template authors could inject php code by choosing a malicious file | name for an extends-tag. Sites that cannot fully trust template | authors should update asap. All users are advised to update. There | is no patch for users on the v3 branch. There are no known | workarounds for this vulnerability. https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (support/4) https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35226 https://www.cve.org/CVERecord?id=CVE-2024-35226 Please adjust the affected versions in the BTS as needed.