6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
39.7%
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, CVE-2017-11503. The code_generator.phps example did not filter user input prior to output. This file is distributed with a .phps
extension, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.
PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.
Fixed in 5.2.24
None.
https://nvd.nist.gov/vuln/detail/CVE-2017-11503
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
phpmailer/phpmailer | lt | 5.2.24 |
www.securityfocus.com/bid/99293/
www.securitytracker.com/id/1039026
cxsecurity.com/issue/WLB-2017060181
github.com/advisories/GHSA-58mj-pw57-4vm2
github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2017-11503.yaml
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.24
github.com/PHPMailer/PHPMailer/security/advisories/GHSA-58mj-pw57-4vm2
nvd.nist.gov/vuln/detail/CVE-2017-11503
packetstormsecurity.com/files/143138/phpmailer-xss.txt
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
39.7%