PHP Code Injection by malicious block or filename in Smarty
CVE-2022-29221

8.8HIGH

Key Information:

Vendor: Smarty-PHP
Status: Smarty
Vendor: CVE Published:; 24 May 2022

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 23%

What is CVE-2022-29221?

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.

Affected Version(s)

smarty < 3.1.45 < 3.1.45

smarty >= 4.0.0, < 4.1.1 < 4.0.0, 4.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-29221-PoC
Created by sbani

References

https://github.com/smarty-php/smarty/security/advisories/...

https://github.com/smarty-php/smarty/commit/64ad6442ca1da...

https://github.com/smarty-php/smarty/releases/tag/v3.1.45

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
May 25, 2022
👾
Exploit known to exist
May 25, 2022
Vulnerability published
May 24, 2022
Vulnerability Reserved
Apr 13, 2022

Smarty-PHP

Badges

What is CVE-2022-29221?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

EPSS Score

CVSS V3.1

Timeline