Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sandbox Escape by math function in smarty
Vulnerability Description
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Smarty 注入漏洞
Vulnerability Description
Smarty是Smarty 是 PHP 的模板引擎,有助于将表示 (HTML/CSS) 与应用程序逻辑分离。 Smarty存在安全漏洞,该漏洞源于在版本3.1.42和4.0.2之前,模板作者可以通过构建一个恶意的数学字符串来运行任意PHP代码。如果一个数学字符串作为用户提供的数据传递给数学函数,外部用户可以通过制造一个恶意的数学字符串来运行任意PHP代码。用户应该升级到3.1.42或4.0.2版本来接收补丁。
CVSS Information
N/A
Vulnerability Type
N/A