Miggo Logo
Miggo Vulnerability Database
CVE-2018-25047

CVE-2018-25047: Smarty Cross-site Scripting vulnerability in pages that use smarty_function_mailto

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2018-25047
GHSA ID
GHSA-hwq7-5vv9-c6cf
EPSS Score
0.51874%
CWE
CWE-79
Published
9/16/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
smarty/smartycomposer< 3.1.473.1.47
smarty/smartycomposer>= 4.0.0, < 4.2.14.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerable function added htmlspecialchars() escaping to the address/text parameters in the mailto link generation. Prior to this fix, parameters were directly interpolated into HTML/JS contexts without proper encoding. The CVE description explicitly states the mailto plugin's handling of user parameters was the attack vector, and the GitHub issue #454 demonstrates a working XSS payload exploiting this lack of escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Sm*rty ***or* *.*.** *n* *.x ***or* *.*.*, `li*s/plu*ins/*un*tion.m*ilto.p*p` *llows *ross-sit* s*riptin*. * w** p*** t**t us*s `sm*rty_*un*tion_m*ilto`, *n* t**t *oul* ** p*r*m*t*riz** usin* **T or POST input p*r*m*t*rs, *oul* *llow inj**tion o*

Reasoning

T** *ommit *i** s*ows t** vuln*r**l* `*un*tion` ***** `*tmlsp**i*l***rs()` *s**pin* to t** ***r*ss/t*xt p*r*m*t*rs in t** m*ilto link **n*r*tion. Prior to t*is *ix, p*r*m*t*rs w*r* *ir**tly int*rpol*t** into *TML/JS *ont*xts wit*out prop*r *n*o*in*.