CVE-2014-8350
Smarty < 3.1.21 - Remote Code Execution via Secure Mode Bypass
Title source: llmDescription
Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template.
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/70708
Exploit mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/421
Issue Tracking x_refsource_confirm
https://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt?r=4902
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2014-0468.html
Exploit mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/420
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2014:221
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/97725
Exploit x_refsource_confirm
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765920
Scores
EPSS
0.0313
EPSS Percentile
86.2%
Details
CWE
CWE-94
Status
published
Products (43)
smarty/smarty
1.0
smarty/smarty
1.0a
smarty/smarty
1.0b
smarty/smarty
1.1.0
smarty/smarty
1.2.0
smarty/smarty
1.2.1
smarty/smarty
1.2.2
smarty/smarty
1.3.0
smarty/smarty
1.3.1
smarty/smarty
1.3.2
... and 33 more
Published
Nov 03, 2014
Tracked Since
Feb 18, 2026