Iricartbo

**Name of the Vulnerable Software and Affected Versions** Smarty versions prior to 3.1.47 Smarty versions 4.x prior to 4.2.1 **Description** The issue allows cross-site scripting (XSS) in the `libs/plugins/function.mailto.php` file. A web page using `smarty function mailto` and parameterized with GET or POST input parameters could allow a user to inject JavaScript code. **Recommendations** For Smarty versions prior to 3.1.47, update to version 3.1.47 or later. For Smarty versions 4.x prior to 4.2.1, update to version 4.2.1 or later. As a temporary workaround, consider disabling the `smarty function mailto` function until a patch is available. Restrict access to the `libs/plugins/function.mailto.php` file to minimize the risk of exploitation. Avoid using GET or POST input parameters in the affected web pages until the issue is resolved.