Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.

The remote Ubuntu 24.04 LTS / 24.10 host has a package installed that is affected by a vulnerability as referenced in the USN-7377-1 advisory.

    It was discovered that Smarty did not properly sanitize template file names. An attacker could possibly     use this issue to cause Smarty to crash, resulting in a denial of service, or possibly execute arbitrary     code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7158-1 advisory.

    It was discovered that Smarty incorrectly handled query parameters in requests. An attacker could possibly     use this issue to inject arbitrary Javascript code, resulting in denial of service or potential execution     of arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and     Ubuntu 24.04 LTS. (CVE-2018-25047, CVE-2023-28447)

    It was discovered that Smarty did not properly sanitize user input when generating templates. An attacker     could, through PHP injection, possibly use this issue to execute arbitrary code. (CVE-2024-35226)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has a package installed that is affected by a vulnerability as referenced in the dsa-5830 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5830-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     December 12, 2024                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : smarty4     CVE ID         : CVE-2024-35226

    A security vulnerability was discovered in Smarty, a template engine for     PHP, which could result in PHP code injection.

    For the stable distribution (bookworm), this problem has been fixed in     version 4.3.0-1+deb12u2.

    We recommend that you upgrade your smarty4 packages.

    For the detailed security status of smarty4 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/smarty4

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5826 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5826-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     December 10, 2024                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : smarty3     CVE ID         : CVE-2023-28447 CVE-2024-35226

    Two security vulnerabilities were discovered in Smarty, a template     engine for PHP, which could result in PHP code injection or cross-site     scripting.

    For the stable distribution (bookworm), these problems have been fixed in     version 3.1.47-2+deb12u1.

    We recommend that you upgrade your smarty3 packages.

    For the detailed security status of smarty3 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/smarty3

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3956 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3956-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                         Tobias Frost     November 17, 2024                             https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : smarty3     Version        : 3.1.39-2+deb11u2     CVE ID         : CVE-2018-25047 CVE-2023-28447 CVE-2024-35226     Debian Bug     : 1019897 1033964 1072530

    Multiple vulnerabilties were discovered for smarty3, a widely-used PHP     templating engine, which potentially allows an attacker to perform an     XSS (e.g JavaScript or PHP code injection).

    CVE-2018-25047

        In Smarty before 3.1.47 and 4.x before 4.2.1,         libs/plugins/function.mailto.php allows XSS. A web page that uses         smarty_function_mailto, and that could be parameterized using GET or         POST input parameters, could allow injection of JavaScript code by a         user.

    CVE-2023-28447

        In affected versions smarty did not properly escape javascript code.
        An attacker could exploit this vulnerability to execute arbitrary         JavaScript code in the context of the user's browser session. This         may lead to unauthorized access to sensitive user data, manipulation         of the web application's behavior, or unauthorized actions performed         on behalf of the user. Users are advised to upgrade to either         version 3.1.48 or to 4.3.1 to resolve this issue. There are no known         workarounds for this vulnerability.

    CVE-2024-35226

        In affected versions template authors could inject php code by         choosing a malicious file name for an extends-tag. Sites that cannot         fully trust template authors should update asap. All users are         advised to update.  There is no patch for users on the v3 branch.
        There are no known workarounds for this vulnerability.

    For Debian 11 bullseye, these problems have been fixed in version     3.1.39-2+deb11u2.

    We recommend that you upgrade your smarty3 packages.

    Please note you will have to clear out all smarty generated files after     installing the update, by default in a templates_c directory.

    For the detailed security status of smarty3 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/smarty3

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
233676	Ubuntu 24.04 LTS / 24.10 : Smarty vulnerability (USN-7377-1)	Nessus	Ubuntu Local Security Checks	high
212734	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 : Smarty vulnerabilities (USN-7158-1)	Nessus	Ubuntu Local Security Checks	medium
212720	Debian dsa-5830 : smarty4 - security update	Nessus	Debian Local Security Checks	high
212268	Debian dsa-5826 : smarty3 - security update	Nessus	Debian Local Security Checks	medium
211501	Debian dla-3956 : smarty3 - security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2024-35226

high

Tenable Plugins

high

medium

high

medium

medium