mailSend function in the default
isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted
Fixed in 5.2.18
Filter and validate user input before passing it to internal functions.
https://nvd.nist.gov/vuln/detail/CVE-2016-10033 Related to a follow-on issue in https://nvd.nist.gov/vuln/detail/CVE-2016-10045
If you have any questions or comments about this advisory: * Open a private issue in the PHPMailer project