8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
phpmailer/phpmailer is vulnerable to arbitrary code execution. When the $patternselect
parameter in validateAddress()
is set to the default php
defined by PHPMailer::$validator
, and the global namespace contains a function called php
, untrusted code can be called when such code is injected into the project’s scope through other means.
CPE | Name | Operator | Version |
---|---|---|---|
phpmailer/phpmailer | le | v6.4.1 | |
libphp-phpmailer:sid | eq | 6.1.8-1 | |
libphp-phpmailer:sid | eq | 6.2.0-1 |
github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3
lists.fedoraproject.org/archives/list/[email protected]/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJ/
lists.fedoraproject.org/archives/list/[email protected]/message/FJYSOFCUBS67J3TKR74SD3C454N7VTYM/
www.huntr.dev/bounties/1-PHPMailer/PHPMailer/
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P