CIVI-SA-2013-005 - Smarty XSS (Unspecified)

Publié
2013-06-05 22:23
Written by

Smarty is a template library responsible for composing web-page output in CiviCRM. If Smarty encounters an internal processing error (such as an unknown template-file or unknown template-function), then it outputs an error message. In Smarty 2.6.26 and earlier, the error message is not properly escaped and (in combination with other, unidentified flaws) may provide a vector for a cross-site scripting attack. The issue is resolved in Smarty 2.6.27 and CiviCRM 4.3.4.

Note: There are no known exploits for this issue in CiviCRM, and it is not known whether this issue is actually exploitable.

Security Risk
Less Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM v1.0.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions

CiviCRM v4.2.10 and v4.3.4

Solutions

Any ONE of the following solutions will provide protection:

Credits
  • Uwe Tews
  • Neil Drumm
  • CiviCRM LLC
References
CVE
CVE-2012-4437