Smarty 4.3.4 is vulnerable #859
Comments
|
Thanks for the report. Upgrading Smarty to the recent version is really a lot of work, and we're lacking person power to tackle this. The vulnerability to my understand affects setups where people with restricted access would be able to escalate permissions. For the case of Serendipity, where no template editing is provided through GUI or other means to "normal" editors, we believe that only admins/maintainers of the site would be able to utilize this as an attack vector against themselves. So in the case of Serendipity, the security issue is of a lower impact than in applications providing the option to edit templates without already having full server access. (Having said that, I fully support that an upgrade would be great and needed) |
|
Thanks for your analysis. |
|
All good! Also, I agree we can leave this open so we know it should be addressed and to be transparent |
The current smarty version in s9y is vulnerable.
See: GHSA-4rmg-292m-wg3w
The text was updated successfully, but these errors were encountered: