CVE-2012-4437 — Cross-site Scripting in SmartyException

Description

Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger a Smarty exception.

How to fix CVE-2012-4437

To remediate CVE-2012-4437, upgrade the affected package to a fixed version below.

Debian/smarty3—upgrade to 3.1.10-2 or later
Packagist/smarty/smarty—upgrade to 3.1.12 or later

Is CVE-2012-4437 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.1.10-2
from 0, < 3.1.12

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-4437
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-4437
PATCHgithub.com/smarty-php/smarty
WEBcode.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt