CVE-2021-26120

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Smarty versions prior to 3.1.39

Description The issue is related to incorrect code generation handling when processing invalid function names in the Smarty template engine for PHP. This can allow a remote attacker to execute arbitrary code. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 3.1.39, update to version 3.1.39 or higher as soon as possible to prevent code injection via malicious function names. As a temporary workaround, consider restricting the ability of template authors to choose arbitrary function names until the update is applied.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

BDU:2022-02200

CVE-2021-26120

DLA-2618-1

DLA-2618-2

DSA-5151-1

GHSA-3RPF-5RQV-689Q

MGASA-2021-0335

MGASA-2022-0127

USN-5348-1

USN-5348-2

USN-5348-3

Affected Products

Linuxmint

Smarty

Ubuntu

CVE-2021-26120

Weakness Enumeration

Related Identifiers

Affected Products

References · 50