CVE-2024-35226
Publication date 28 May 2024
Last updated 24 July 2024
Ubuntu priority
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| smarty3 | 24.04 LTS noble |
Needs evaluation
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| smarty4 | 24.04 LTS noble |
Needs evaluation
|
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-35226
- https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
- https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (v4.5.3)
- https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0)
- https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a