7.8 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.016 Low
EPSS
Percentile
87.0%
PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php
.
Shell command injection, remotely exploitable if host application does not filter user data appropriately.
Fixed in 1.7.4
Filter and validate user-supplied data before putting in the into the Sender
property.
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
phpmailer/phpmailer | lt | 1.7.4 |
cxsecurity.com/issue/WLB-2007060063
exchange.xforce.ibmcloud.com/vulnerabilities/34818
github.com/advisories/GHSA-6h78-85v2-mmch
github.com/PHPMailer/PHPMailer/security/advisories/GHSA-6h78-85v2-mmch
seclists.org/fulldisclosure/2011/Oct/223
sourceforge.net/p/phpmailer/bugs/192/
web.archive.org/web/20070714054359/larholm.com/2007/06/11/phpmailer-0day-remote-execution/
yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce