GitHub Advisory DatabaseGHSA-6H78-85V2-MMCHPHPMailer Shell command injection
7.8 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.016 Low
EPSS
Percentile
87.0%
PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.
Impact
Shell command injection, remotely exploitable if host application does not filter user data appropriately.
Patches
Fixed in 1.7.4
Workarounds
Filter and validate user-supplied data before putting in the into the Sender property.
References
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
For more information
If you have any questions or comments about this advisory:
- Open a private issue in the PHPMailer project
| CPE | Name | Operator | Version |
|---|---|---|---|
| phpmailer/phpmailer | lt | 1.7.4 |
References
cxsecurity.com/issue/WLB-2007060063
exchange.xforce.ibmcloud.com/vulnerabilities/34818
github.com/advisories/GHSA-6h78-85v2-mmch
github.com/PHPMailer/PHPMailer/security/advisories/GHSA-6h78-85v2-mmch
seclists.org/fulldisclosure/2011/Oct/223
sourceforge.net/p/phpmailer/bugs/192/
web.archive.org/web/20070714054359/larholm.com/2007/06/11/phpmailer-0day-remote-execution/
yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
Related
7.8 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.016 Low
EPSS
Percentile
87.0%