VDB
CVE-2021-26120
CVE-2021-26120
PUBLISHED
Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.
EPSS 75.58% · 98.9th percentile
Risk Scores
EPSS Score
75.58%
98.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:20.04:LTS | smarty3 | 3.1.34+20190228.1.c9f0de05+selfpack1-1, 0, 3.1.33+20180830.1.3a78a21f+selfpack1-1 |
| Ubuntu:Pro:16.04:LTS | smarty3 | 0, 3.1.21-1, 3.1.21-1ubuntu1 |
| Ubuntu:18.04:LTS | smarty3 | 3.1.31+20161214.1.c7d42e4+selfpack1-2, 0, 3.1.31+20161214.1.c7d42e4+selfpack1-3 |
Exploit Intelligence
- https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md (circl)
- [debian-lts-announce] 20210405 [SECURITY] [DLA 2618-1] smarty3 security update (circl)
- [debian-lts-announce] 20210416 [SECURITY] [DLA 2618-2] smarty3 regression update (circl)
- GLSA-202105-06 (circl)
- DSA-5151 (circl)
- data_v2.json (github-poc)
- data_v2.json (github-poc)
- data_v2.json (github-poc)
- data_v2.json (github-poc)
- data_v2.json (github-poc)
…and 2 more exploits
Timeline
- Feb 22, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 14, 2022 CVE Updated
- Nov 6, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 20, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-26120 third-party-advisory
- https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md third-party-advisory
- https://ubuntu.com/security/notices/USN-5348-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-5348-3 vendor-advisory
- https://ubuntu.com/security/notices/USN-5348-2 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-26120 third-party-advisory