This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Phpmailer Project First view 2015-12-16
Product Phpmailer Last view 2021-06-17
Version Type
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:* 9
cpe:2.3:a:phpmailer_project:phpmailer:5.2.23:*:*:*:*:*:*:* 6

Related : CVE

  Date Alert Description
8.1 2021-06-17 CVE-2021-3603

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.

8.1 2021-06-16 CVE-2021-34551

PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.

9.8 2021-04-28 CVE-2020-36326

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

7.5 2020-06-08 CVE-2020-13625

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

8.8 2018-11-16 CVE-2018-19296

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

6.1 2017-07-20 CVE-2017-11503

PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.

5.5 2017-01-16 CVE-2017-5223

An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an unfiltered, user-supplied HTML document, and must not set a base directory.

9.8 2016-12-30 CVE-2016-10045

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

9.8 2016-12-30 CVE-2016-10033

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

5 2015-12-16 CVE-2015-8476

Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.

CWE : Common Weakness Enumeration

%idName
22% (2) CWE-502 Deserialization of Untrusted Data
11% (1) CWE-434 Unrestricted Upload of File with Dangerous Type
11% (1) CWE-200 Information Exposure
11% (1) CWE-116 Improper Encoding or Escaping of Output
11% (1) CWE-88 Argument Injection or Modification
11% (1) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
11% (1) CWE-77 Improper Sanitization of Special Elements used in a Command ('Comma...
11% (1) CWE-20 Improper Input Validation

SAINT Exploits

Description Link
PHPMailer PwnScriptum Remote Code Execution More info here
PHPMailer Command Injection in WordPress Core via Exim More info here

Snort® IPS/IDS

Date Description
2018-11-06 PHPMailer information disclosure attempt
RuleID : 48029 - Type : SERVER-MAIL - Revision : 2
2018-04-12 PHPMailer command injection remote code execution attempt
RuleID : 45917 - Type : SERVER-WEBAPP - Revision : 1
2017-04-06 PHPMailer command injection remote code execution attempt
RuleID : 41813 - Type : SERVER-WEBAPP - Revision : 3
2017-02-01 PHPMailer command injection remote code execution attempt
RuleID : 41106 - Type : SERVER-WEBAPP - Revision : 5

Nessus® Vulnerability Scanner

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-f73869d61e.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-a2e9bd6eae.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-18f3eff32b.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-0f5e6e9957.nasl - Type: ACT_GATHER_INFO
2018-12-10 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4351.nasl - Type: ACT_GATHER_INFO
2018-11-27 Name: The remote Fedora host is missing a security update.
File: fedora_2018-daee493feb.nasl - Type: ACT_GATHER_INFO
2018-11-27 Name: The remote Fedora host is missing a security update.
File: fedora_2018-46b92c9064.nasl - Type: ACT_GATHER_INFO
2018-11-26 Name: The remote Debian host is missing a security update.
File: debian_DLA-1591.nasl - Type: ACT_GATHER_INFO
2018-11-23 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b036fabaedd811e8b3b700e04c1ea73d.nasl - Type: ACT_GATHER_INFO
2017-08-24 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_c5d79773880111e793f7d43d7e971a1b.nasl - Type: ACT_GATHER_INFO
2017-08-11 Name: The remote Fedora host is missing a security update.
File: fedora_2017-0bc23764e7.nasl - Type: ACT_GATHER_INFO
2017-08-07 Name: The remote Fedora host is missing a security update.
File: fedora_2017-ab55648aa7.nasl - Type: ACT_GATHER_INFO
2017-07-31 Name: The remote Fedora host is missing a security update.
File: fedora_2017-f838eb0c5e.nasl - Type: ACT_GATHER_INFO
2017-05-19 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL73926196.nasl - Type: ACT_GATHER_INFO
2017-05-16 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL74977440.nasl - Type: ACT_GATHER_INFO
2017-03-20 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_f72d98d10b7e11e7970f002590263bf5.nasl - Type: ACT_GATHER_INFO
2017-02-07 Name: The remote Debian host is missing a security update.
File: debian_DLA-817.nasl - Type: ACT_GATHER_INFO
2017-01-18 Name: A PHP application running on the remote web server is affected by multiple vu...
File: wordpress_4_7_1.nasl - Type: ACT_GATHER_INFO
2017-01-18 Name: The remote Fedora host is missing a security update.
File: fedora_2017-c3dc97e1e1.nasl - Type: ACT_GATHER_INFO
2017-01-13 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_7ae0be99d8bb11e69b7fd43d7e971a1b.nasl - Type: ACT_GATHER_INFO
2017-01-06 Name: The remote Fedora host is missing a security update.
File: fedora_2016-6941d25875.nasl - Type: ACT_GATHER_INFO
2017-01-03 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3750.nasl - Type: ACT_GATHER_INFO
2017-01-03 Name: The remote Debian host is missing a security update.
File: debian_DLA-770.nasl - Type: ACT_GATHER_INFO
2016-12-29 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_3c4693deccf711e6a9a5b499baebfeaf.nasl - Type: ACT_GATHER_INFO
2016-12-27 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_c7656d4ccb6011e6a9a5b499baebfeaf.nasl - Type: ACT_GATHER_INFO