Search for packages
| purl | pkg:composer/phpmailer/phpmailer@5.0.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7kvh-8w1t-2kej
Aliases: CVE-2015-8476 GHSA-738m-f33v-qc2r |
Multiple CRLF injection vulnerabilities allow attackers to inject arbitrary SMTP commands via CRLF sequences in an email address to the `validateAddress` function in `class.phpmailer.php` or SMTP command to the `sendCommand` function in `class.smtp.php`. |
Affected by 8 other vulnerabilities. |
|
VCID-cq4m-3q7u-cbg3
Aliases: CVE-2016-10033 GHSA-5f37-gxvh-23v6 |
Remote code execution in PHPMailer ### Impact The `mailSend` function in the default `isMail` transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted `Sender` property. ### Patches Fixed in 5.2.18 ### Workarounds Filter and validate user input before passing it to internal functions. ### References https://nvd.nist.gov/vuln/detail/CVE-2016-10033 Related to a follow-on issue in https://nvd.nist.gov/vuln/detail/CVE-2016-10045 ### For more information If you have any questions or comments about this advisory: * Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer) |
Affected by 7 other vulnerabilities. |
|
VCID-f585-qf89-f7f3
Aliases: CVE-2018-19296 GHSA-7w4p-72j7-v7c2 |
Object injection PHPMailer is vulnerable to an object injection attack. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-xrtk-1rmg-7uca
Aliases: CVE-2016-10045 GHSA-4pc3-96mx-wwc8 |
Remote code execution in PHPMailer ### Impact The `isMail` transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the `mail` command and consequently execute arbitrary code by leveraging improper interaction between the `escapeshellarg` function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. This issue really emphasises that it's worth avoiding the built-in PHP `mail()` function entirely. ### Patches Fixed in 5.2.20 ### Workarounds Send via SMTP to localhost instead of calling the `mail()` function. ### References https://nvd.nist.gov/vuln/detail/CVE-2016-10045 See also https://nvd.nist.gov/vuln/detail/CVE-2016-10033 ### For more information If you have any questions or comments about this advisory: * Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer) |
Affected by 6 other vulnerabilities. |
|
VCID-ywsv-ddhg-b7es
Aliases: CVE-2017-5223 GHSA-4x5h-cr29-fhp6 |
Local File Disclosure PHPMailer's `msgHTML` method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to `/`, meaning that relative image URLs get treated as absolute local file paths and added as attachments. |
Affected by 5 other vulnerabilities. |
|
VCID-zju7-7wax-zfhz
Aliases: CVE-2017-11503 GHSA-58mj-pw57-4vm2 |
XSS vulnerability in code example The `code_generator.phps` example does not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There's also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||