Headline
CVE-2018-25047: Release v4.2.1 · smarty-php/smarty
In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.
If you use the {mailto} plugin in your templates, please check if you are escaping the address value explicitly like this {mailto address=$htmladdress|escape}. This could cause problems through double escaping.
What’s Changed****Security
- Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks #454
Fixed
- Fixed PHP8.1 deprecation errors in modifiers (upper, explode, number_format and replace) #755 and #788
- Fixed PHP8.1 deprecation errors in capitalize modifier #789
- Fixed use of rand() without a parameter in math function #794
- Fixed unselected year/month/day not working in html_select_date #395
New Contributors
- @mfettig made their first contribution in #755
Full Changelog: v4.2.0…v4.2.1
Related news
Gentoo Linux Security Advisory 202209-09
Gentoo Linux Security Advisory 202209-9 - Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution. Versions less than 4.2.1 are affected.