1. Home
  2. CVE Database
  3. CVE-2023-28447
HIGH · 7.1

CVE-2023-28447

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the conte...

Vulnerability Description

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW

Affected Products

VendorProductVersions
SmartySmarty< 3.1.48
FedoraprojectFedora36

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2023-28447?

CVE-2023-28447 is a vulnerability with a CVSS score of 7.1 (HIGH). Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the conte...

How severe is CVE-2023-28447?

CVE-2023-28447 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-28447?

Check the references section above for vendor advisories and patch information. Affected products include: Smarty Smarty, Fedoraproject Fedora.