Vulnerability Name:

CVE-2008-4810 (CCN-46031)

Assigned:2008-10-22
Published:2008-10-22
Updated:2017-08-08
Summary:The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka "php executed in templates;" and (2) a double quoted literal string, aka a "function injection security hole."
Note: each vector affects slightly different SVN revisions.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.9 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-94
Vulnerability Consequences:Gain Access
References:Source: CONFIRM
Type: UNKNOWN
http://code.google.com/p/smarty-php/source/detail?r=2784&path=/trunk/libs/Smarty_Compiler.class.php

Source: CONFIRM
Type: UNKNOWN
http://code.google.com/p/smarty-php/source/detail?r=2797&path=/trunk/libs/Smarty_Compiler.class.php

Source: MITRE
Type: CNA
CVE-2008-4810

Source: CCN
Type: Mahara Web Site
Mahara 1.2.4, 1.1.8, and 1.0.14 Released

Source: CCN
Type: SA32329
Smarty "_expand_quoted_text()" Security Bypass Vulnerability

Source: SECUNIA
Type: Vendor Advisory
32329

Source: MISC
Type: UNKNOWN
http://securityvulns.ru/Udocument746.html

Source: CONFIRM
Type: UNKNOWN
http://smarty-php.googlecode.com/svn/trunk/NEWS

Source: DEBIAN
Type: UNKNOWN
DSA-1691

Source: DEBIAN
Type: DSA-1691
moodle -- several vulnerabilities

Source: DEBIAN
Type: DSA-1919
smarty -- several vulnerabilities

Source: CCN
Type: GLSA-201006-13
Smarty: Multiple vulnerabilities

Source: MLIST
Type: UNKNOWN
[oss-security] 20081025 Regarding SA32329 (Smarty "_expand_quoted_text()" Security Bypass)

Source: CCN
Type: OSVDB ID: 49943
Smarty libs/Smarty_Compiler.class.php _expand_quoted_text() Function Arbitrary PHP Code Execution

Source: BID
Type: UNKNOWN
31862

Source: CCN
Type: BID-31862
Smarty Template Engine 'Smarty_Compiler.class.php' Security Bypass Vulnerability

Source: CCN
Type: Smarty Web site
Smarty: Template Engine

Source: CCN
Type: USN-791-1
Moodle vulnerabilities

Source: CONFIRM
Type: UNKNOWN
https://bugs.gentoo.org/attachment.cgi?id=169804&action=view

Source: CCN
Type: Red Hat Bugzilla Bug 467317
Bug 467317 - Security Update for php-smarty

Source: XF
Type: UNKNOWN
smarty-expandquotedtext-code-execution(46031)

Source: XF
Type: UNKNOWN
smarty-expandquotedtext-code-execution(46031)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:smarty:smarty:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.0a:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.0b:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.0:b1:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.0:b2:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.5.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.5.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.6:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.7:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.9:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.10:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.11:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.12:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.13:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.14:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.15:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.16:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.17:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.18:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:smarty:smarty:2.6.9:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.11:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.12:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.13:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.14:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.15:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.16:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.5.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.5.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.0:b1:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.4.0:b2:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.0b:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.0a:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.10:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.17:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.7:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.18:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.6:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.3:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:x86_64:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:13687
    P
    		USN-791-1 -- moodle vulnerabilities
    2014-07-07
    oval:org.mitre.oval:def:20060
    P
    		DSA-1691-1 moodle - several vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:13108
    P
    		DSA-1919-1 smarty -- several
    2014-06-23
    oval:org.mitre.oval:def:13560
    P
    		DSA-1919-2 smarty -- several
    2014-06-23
    oval:org.mitre.oval:def:7911
    P
    		DSA-1919 smarty -- several vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:7939
    P
    		DSA-1691 moodle -- several vulnerabilities
    2014-06-23
    oval:org.debian:def:1919
    V
    		several vulnerabilities
    2009-10-25
    oval:org.debian:def:1691
    V
    		several vulnerabilities
    2008-12-22
    BACK
    smarty smarty 1.0
    smarty smarty 1.0a
    smarty smarty 1.0b
    smarty smarty 1.1.0
    smarty smarty 1.2.0
    smarty smarty 1.2.1
    smarty smarty 1.2.2
    smarty smarty 1.3.0
    smarty smarty 1.3.1
    smarty smarty 1.3.2
    smarty smarty 1.4.0
    smarty smarty 1.4.0 b1
    smarty smarty 1.4.0 b2
    smarty smarty 1.4.1
    smarty smarty 1.4.2
    smarty smarty 1.4.3
    smarty smarty 1.4.4
    smarty smarty 1.4.5
    smarty smarty 1.4.6
    smarty smarty 1.5.0
    smarty smarty 1.5.1
    smarty smarty 1.5.2
    smarty smarty 2.0.0
    smarty smarty 2.0.1
    smarty smarty 2.1.0
    smarty smarty 2.1.1
    smarty smarty 2.2.0
    smarty smarty 2.3.0
    smarty smarty 2.3.1
    smarty smarty 2.4.0
    smarty smarty 2.4.1
    smarty smarty 2.4.2
    smarty smarty 2.5.0
    smarty smarty 2.5.0 rc1
    smarty smarty 2.5.0 rc2
    smarty smarty 2.6.0
    smarty smarty 2.6.0 rc1
    smarty smarty 2.6.0 rc2
    smarty smarty 2.6.0 rc3
    smarty smarty 2.6.1
    smarty smarty 2.6.2
    smarty smarty 2.6.3
    smarty smarty 2.6.4
    smarty smarty 2.6.5
    smarty smarty 2.6.6
    smarty smarty 2.6.7
    smarty smarty 2.6.9
    smarty smarty 2.6.10
    smarty smarty 2.6.11
    smarty smarty 2.6.12
    smarty smarty 2.6.13
    smarty smarty 2.6.14
    smarty smarty 2.6.15
    smarty smarty 2.6.16
    smarty smarty 2.6.17
    smarty smarty 2.6.18
    smarty smarty 2.6.9
    smarty smarty 2.6.1
    smarty smarty 2.6.0
    smarty smarty 2.6.11
    smarty smarty 2.6.12
    smarty smarty 2.6.13
    smarty smarty 2.6.14
    smarty smarty 2.6.15
    smarty smarty 2.6.16
    smarty smarty 2.6.0 rc3
    smarty smarty 2.6.0 rc2
    smarty smarty 2.6.0 rc1
    smarty smarty 2.5.0
    smarty smarty 2.5.0 rc1
    smarty smarty 2.5.0 rc2
    smarty smarty 2.4.2
    smarty smarty 2.4.1
    smarty smarty 2.4.0
    smarty smarty 2.3.1
    smarty smarty 2.3.0
    smarty smarty 2.2.0
    smarty smarty 2.1.1
    smarty smarty 2.1.0
    smarty smarty 2.0.1
    smarty smarty 2.0.0
    smarty smarty 1.5.2
    smarty smarty 1.5.1
    smarty smarty 1.5.0
    smarty smarty 1.4.6
    smarty smarty 1.4.5
    smarty smarty 1.4.4
    smarty smarty 1.4.3
    smarty smarty 1.4.2
    smarty smarty 1.4.1
    smarty smarty 1.4.0
    smarty smarty 1.4.0 b1
    smarty smarty 1.4.0 b2
    smarty smarty 1.3.2
    smarty smarty 1.3.1
    smarty smarty 1.3.0
    smarty smarty 1.2.2
    smarty smarty 1.2.1
    smarty smarty 1.2.0
    smarty smarty 1.1.0
    smarty smarty 1.0b
    smarty smarty 1.0a
    smarty smarty 1.0
    smarty smarty 2.6.10
    smarty smarty 2.6.17
    smarty smarty 2.6.2
    smarty smarty 2.6.7
    smarty smarty 2.6.18
    smarty smarty 2.6.3
    smarty smarty 2.6.4
    smarty smarty 2.6.5
    smarty smarty 2.6.6
    mahara mahara 1.0.8
    mahara mahara 1.0.6
    mahara mahara 1.0.5
    mahara mahara 1.0.4
    mahara mahara 1.0.3
    mahara mahara 1.0.2
    mahara mahara 1.0.1
    mahara mahara 1.1.1
    mahara mahara 1.1.0
    mahara mahara 1.0.10
    mahara mahara 1.1.2
    mahara mahara 1.0.9
    mahara mahara 1.1.4
    mahara mahara 1.0.11
    mahara mahara 1.0.12
    mahara mahara 1.1.5
    mahara mahara 1.1.6
    mahara mahara 1.1.3
    gentoo linux *
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux 2008.0
    debian debian linux 4.0
    mandrakesoft mandrake linux 2008.0
    mandrakesoft mandrake linux 2008.1 x86_64
    mandrakesoft mandrake linux 2008.1
    canonical ubuntu 8.04
    mandriva linux 2009.0
    mandriva linux 2009.0 -
    debian debian linux 5.0