CVE-2023-28447: 
PHP vulnerability analysis and mitigation

Smarty, a template engine for PHP, was found to contain a cross-site scripting (XSS) vulnerability identified as CVE-2023-28447. The vulnerability was discovered and disclosed on March 28, 2023, affecting versions prior to 3.1.48 and 4.3.1. The issue stems from improper escaping of JavaScript code in the template engine (NVD, GitHub Advisory).

The vulnerability is classified as a Cross-site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 (MEDIUM) according to NVD, and 7.1 (HIGH) according to GitHub. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network exploitable, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the user's browser session. This can lead to unauthorized access to sensitive user data, manipulation of web application behavior, or unauthorized actions performed on behalf of the user (GitHub Advisory).

Users are advised to upgrade to either version 3.1.48 or 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability. The fix has been implemented in the official releases and distributed through various package managers (GitHub Advisory, Fedora Update).