5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.9%
Attackers could inject arbitrary SMTP commands via by exploiting the fact that valid email addresses may contain line breaks, which are not handled correctly in some contexts.
Fixed in 5.2.14 in this commit.
Manually strip line breaks from email addresses before passing them to PHPMailer.
https://nvd.nist.gov/vuln/detail/CVE-2015-8476
If you have any questions or comments about this advisory:
lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html
lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html
www.debian.org/security/2015/dsa-3416
www.openwall.com/lists/oss-security/2015/12/04/5
www.openwall.com/lists/oss-security/2015/12/05/1
www.securityfocus.com/bid/78619
github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2015-8476.yaml
github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
github.com/PHPMailer/PHPMailer/security/advisories/GHSA-738m-f33v-qc2r
nvd.nist.gov/vuln/detail/CVE-2015-8476