CVE-2024-35226

NameCVE-2024-35226
DescriptionSmarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1072529, 1072530

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
smarty3 (PTS)bullseye (security), bullseye3.1.39-2+deb11u1vulnerable
bookworm3.1.47-2vulnerable
sid, trixie3.1.48-1vulnerable
smarty4 (PTS)bookworm4.3.0-1+deb12u1vulnerable
sid, trixie4.3.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
smarty3source(unstable)(unfixed)1072530
smarty4source(unstable)(unfixed)1072529

Notes

https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (v4.5.3)
https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0)
Search for package or bug name: Reporting problems