CVE-2023-28447 HIGH

CVE-2023-28447: Cross site scripting vulnerability in Javascript escaping in smarty/smarty

Vendor Smarty-Php

Product smarty

Weakness CWE-79 · XSS

Published March 28, 2023

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

Description

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

Key dates

Disclosure timeline

March 28, 2023 CVE published

November 3, 2025 Record updated

Identifiers

CVE CVE-2023-28447

CWE CWE-79

CVSS 7.1 / HIGH

Affected versions

Vendor Smarty-Php

Product smarty

Affected >= 4.0.0, < 4.3.1

Vendor Smarty-Php

Product smarty

Affected < 3.1.48