CVE-2023-28447 – CVE-2023-28447 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2023-28447?

CVE-2023-28447 has a CVSS score of 7.1 (HIGH). CVE-2023-28447 is a cross-site scripting (XSS) vulnerability in Smarty PHP template engine where JavaScript code isn't properly escaped. This allows attackers to execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, redirecting users, or performing unauthorized actions. All PHP applications using vulnerable Smarty versions are affected.

📋 TL;DR

CVE-2023-28447 is a cross-site scripting (XSS) vulnerability in Smarty PHP template engine where JavaScript code isn't properly escaped. This allows attackers to execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, redirecting users, or performing unauthorized actions. All PHP applications using vulnerable Smarty versions are affected.

💻 Affected Systems

Products:

Smarty PHP Template Engine

Versions: All versions before 3.1.48 and 4.x before 4.3.1

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Any PHP application using Smarty templates with user-controllable input is vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full account takeover via session hijacking, data theft, complete web application compromise, and unauthorized administrative actions.

🟠

Likely Case

Session hijacking leading to unauthorized access, data exfiltration, and client-side defacement.

🟢

If Mitigated

Limited impact with proper Content Security Policy (CSP) headers and input validation, though XSS may still bypass some controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly exploited; proof-of-concept exists in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.48 or 4.3.1

Vendor Advisory: https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj

Restart Required: No

Instructions:

1. Identify Smarty version in use. 2. Update via Composer: 'composer require smarty/smarty:^3.1.48' or 'composer require smarty/smarty:^4.3.1'. 3. Verify update with 'composer show smarty/smarty'. 4. Test application functionality.

🔧 Temporary Workarounds

Manual JavaScript Escaping

all

Manually escape JavaScript output in templates using htmlspecialchars or custom filters.

In templates: {$variable|escape:'javascript'}

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution.
Apply web application firewall (WAF) rules to detect and block XSS payloads.

🔍 How to Verify

Check if Vulnerable:

Check composer.json or Smarty version in code: if version < 3.1.48 or 4.x < 4.3.1, it's vulnerable.

Check Version:

php -r "require 'vendor/autoload.php'; echo \Smarty::SMARTY_VERSION;"

Verify Fix Applied:

Confirm version is 3.1.48+ or 4.3.1+ via 'composer show smarty/smarty' or checking Smarty class constants.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript in template variables
Multiple failed XSS attempts in logs

Network Indicators:

Suspicious JavaScript payloads in HTTP requests
Unexpected external script loads

SIEM Query:

source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2023-28447

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: March 28, 2023

Last Updated: November 3, 2025

🔗 References

https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d Patch
https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP/ Mailing List,Third Party Advisory
https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d Patch
https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP/ Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28447, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Smarty by Smarty

Smarty by Smarty

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Manual JavaScript Escaping

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities