GSA_kwCzR0hTQS02aDc4LTg1djItbW1jaM4AA5CX

High EPSS: 0.03251% (0.8659 Percentile) EPSS:

Permalink JSON

PHPMailer Shell command injection

Affected Packages	Affected Versions	Fixed Versions
packagist:phpmailer/phpmailer	< 1.7.4	1.7.4
1,306 Dependent packages 19,318 Dependent repositories 79,187,334 Downloads total Affected Version Ranges All affected versions All unaffected versions 5.2.2, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.16, 5.2.17, 5.2.18, 5.2.19, 5.2.20, 5.2.21, 5.2.22, 5.2.23, 5.2.24, 5.2.25, 5.2.26, 5.2.27, 5.2.28, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.2.0, 6.3.0, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.7.1, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2, 6.9.3

PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.

Impact

Shell command injection, remotely exploitable if host application does not filter user data appropriately.

Patches

Fixed in 1.7.4

Workarounds

Filter and validate user-supplied data before putting in the into the Sender property.

References

https://nvd.nist.gov/vuln/detail/CVE-2007-3215

For more information

If you have any questions or comments about this advisory:

Open a private issue in the PHPMailer project

References:

Identifiers

GHSA-6h78-85v2-mmch

CVE-2007-3215

Risk

Severity

High

EPSS

EPSS Percentage: 0.03251

EPSS Percentile: 0.8659

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/PHPMailer/PHPMailer

Date and time

Published

over 1 year ago

Updated

over 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories