Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.
{ "binaries": [ { "binary_name": "smarty3", "binary_version": "3.1.21-1ubuntu1+esm1" } ], "ubuntu_priority": "medium", "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro" }
{ "binaries": [ { "binary_name": "smarty3", "binary_version": "3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1" } ], "ubuntu_priority": "medium", "availability": "No subscription required" }
{ "binaries": [ { "binary_name": "smarty3", "binary_version": "3.1.34+20190228.1.c9f0de05+selfpack1-1ubuntu0.1+esm1" } ], "ubuntu_priority": "medium", "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro" }
{ "binaries": [ { "binary_name": "smarty3", "binary_version": "3.1.39-2" } ], "ubuntu_priority": "medium", "availability": "No subscription required" }