Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "3.1.21-1ubuntu1+esm1", "binary_name": "smarty3" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1", "binary_name": "smarty3" } ] }
{ "ubuntu_priority": "medium" }
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "3.1.34+20190228.1.c9f0de05+selfpack1-1ubuntu0.1~esm1", "binary_name": "smarty3" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "3.1.39-2", "binary_name": "smarty3" } ] }