isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the
escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
This issue really emphasises that it's worth avoiding the built-in PHP
mail() function entirely.
Fixed in 5.2.20
Send via SMTP to localhost instead of calling the
https://nvd.nist.gov/vuln/detail/CVE-2016-10045 See also https://nvd.nist.gov/vuln/detail/CVE-2016-10033
If you have any questions or comments about this advisory: * Open a private issue in the PHPMailer project