GoogleOSV:GHSA-738M-F33V-QC2RSMTP Injection in PHPMailer
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.9%
Impact
Attackers could inject arbitrary SMTP commands via by exploiting the fact that valid email addresses may contain line breaks, which are not handled correctly in some contexts.
Patches
Fixed in 5.2.14 in this commit.
Workarounds
Manually strip line breaks from email addresses before passing them to PHPMailer.
References
https://nvd.nist.gov/vuln/detail/CVE-2015-8476
For more information
If you have any questions or comments about this advisory:
- Open a private issue in the PHPMailer project
References
lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html
lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html
www.debian.org/security/2015/dsa-3416
www.openwall.com/lists/oss-security/2015/12/04/5
www.openwall.com/lists/oss-security/2015/12/05/1
www.securityfocus.com/bid/78619
github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2015-8476.yaml
github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
github.com/PHPMailer/PHPMailer/security/advisories/GHSA-738m-f33v-qc2r
nvd.nist.gov/vuln/detail/CVE-2015-8476
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.9%