CIVI-SA-2013-005 - Smarty XSS (Unspecified)

2013-06-05 22:23
Written by

Smarty is a template library responsible for composing web-page output in CiviCRM. If Smarty encounters an internal processing error (such as an unknown template-file or unknown template-function), then it outputs an error message. In Smarty 2.6.26 and earlier, the error message is not properly escaped and (in combination with other, unidentified flaws) may provide a vector for a cross-site scripting attack. The issue is resolved in Smarty 2.6.27 and CiviCRM 4.3.4.

Note: There are no known exploits for this issue in CiviCRM, and it is not known whether this issue is actually exploitable.

Security Risk
Less Critical
Cross Site Scripting
Affected Versions

CiviCRM v1.0.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions

CiviCRM v4.2.10 and v4.3.4


Any ONE of the following solutions will provide protection:

  • Uwe Tews
  • Neil Drumm
  • CiviCRM LLC