CVE-2018-25047

Name of the Vulnerable Software and Affected Versions Smarty versions prior to 3.1.47 Smarty versions 4.x prior to 4.2.1

Description The issue allows cross-site scripting (XSS) in the libs/plugins/function.mailto.php file. A web page using smarty function mailto and parameterized with GET or POST input parameters could allow a user to inject JavaScript code.

Recommendations For Smarty versions prior to 3.1.47, update to version 3.1.47 or later. For Smarty versions 4.x prior to 4.2.1, update to version 4.2.1 or later. As a temporary workaround, consider disabling the smarty function mailto function until a patch is available. Restrict access to the libs/plugins/function.mailto.php file to minimize the risk of exploitation. Avoid using GET or POST input parameters in the affected web pages until the issue is resolved.