CVE-2022-29221

Name of the Vulnerable Software and Affected Versions Smarty versions prior to 3.1.45 Smarty versions 4.0.0 through 4.1.0

Description The issue is related to incorrect code generation management in the PHP Smarty template engine, allowing a remote attacker to execute arbitrary PHP code. Template authors could inject PHP code by choosing a malicious {block} name or {include} file name. This affects sites that cannot fully trust template authors.

Recommendations For versions prior to 3.1.45, upgrade to version 3.1.45 to receive a patch for this issue. For versions 4.0.0 through 4.1.0, upgrade to version 4.1.1 to receive a patch for this issue. As a temporary workaround, consider restricting the ability of template authors to choose {block} names or {include} file names until a patch is applied.