{"id":"CVE-2021-21408","details":"Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.","aliases":["GHSA-4h9c-v5vg-5m6m"],"modified":"2026-04-16T00:00:23.362743869Z","published":"2022-01-10T20:15:07.913Z","related":["GHSA-4h9c-v5vg-5m6m"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"10.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"11.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"9.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"36"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"37"}]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/"},{"type":"ADVISORY","url":"https://github.com/smarty-php/smarty/releases/tag/v3.1.43"},{"type":"ADVISORY","url":"https://github.com/smarty-php/smarty/releases/tag/v4.0.3"},{"type":"ADVISORY","url":"https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202209-09"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5151"},{"type":"FIX","url":"https://github.com/smarty-php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/smarty-php/smarty","events":[{"introduced":"0"},{"fixed":"273f7e00fec034f6d61112552e9caf08d19565b7"},{"introduced":"baebd59bb4da9fca89da382811b38c8313949c49"},{"fixed":"f707dadecbc145bac40f77f47595f32ec18eed01"},{"fixed":"19ae410bf56007a5ef24441cdc6414619cfaf664"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:smarty:smarty:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"3.1.43"},{"introduced":"4.0.0"},{"fixed":"4.0.3"}]}}],"versions":["v2.6.24","v2.6.25","v2.6.26","v2.6.27","v2.6.28","v3.1.11","v3.1.12","v3.1.13","v3.1.14","v3.1.15","v3.1.16","v3.1.17","v3.1.18","v3.1.19","v3.1.20","v3.1.21","v3.1.23","v3.1.24","v3.1.25","v3.1.26","v3.1.27","v3.1.28","v3.1.29","v3.1.30","v3.1.31","v3.1.32","v3.1.33","v3.1.34","v3.1.35","v3.1.36","v3.1.37","v3.1.37.1","v3.1.38","v3.1.39","v3.1.40","v3.1.41","v3.1.42","v4.0.0","v4.0.1","v4.0.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21408.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}