Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02aDc4LTg1djItbW1jaM4AA5CX

PHPMailer Shell command injection

PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.

Impact

Shell command injection, remotely exploitable if host application does not filter user data appropriately.

Patches

Fixed in 1.7.4

Workarounds

Filter and validate user-supplied data before putting in the into the Sender property.

References

https://nvd.nist.gov/vuln/detail/CVE-2007-3215

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-6h78-85v2-mmch
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02aDc4LTg1djItbW1jaM4AA5CX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 23 days ago
Updated: 23 days ago


Identifiers: GHSA-6h78-85v2-mmch, CVE-2007-3215
References:

Affected Packages

packagist:phpmailer/phpmailer
Versions: < 1.7.4
Fixed in: 1.7.4