Security Risk: 
Less Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM v1.0.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions: 

CiviCRM v4.2.10 and v4.3.4

Publication Date: 
Monday, June 10, 2013
Description: 

Smarty is a template library responsible for composing web-page output in CiviCRM. If Smarty encounters an internal processing error (such as an unknown template-file or unknown template-function), then it outputs an error message. In Smarty 2.6.26 and earlier, the error message is not properly escaped and (in combination with other, unidentified flaws) may provide a vector for a cross-site scripting attack. The issue is resolved in Smarty 2.6.27 and CiviCRM 4.3.4.

Note: There are no known exploits for this issue in CiviCRM, and it is not known whether this issue is actually exploitable.

Solutions: 

Any ONE of the following solutions will provide protection:

Credits: 
  • Uwe Tews
  • Neil Drumm
  • CiviCRM LLC
References: 
CVE: 
CVE-2012-4437