An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0zOThqLWY3bTctNzk1as4AAvLp

High EPSS: 0.00388% (0.58766 Percentile) EPSS:

PHPMailer vulnerable to email header injection

Affected Packages Affected Versions Fixed Versions
packagist:phpmailer/phpmailer < 2.2.1 2.2.1
1,306 Dependent packages
19,318 Dependent repositories
79,187,334 Downloads total

Affected Version Ranges

All affected versions

All unaffected versions

5.2.2, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.16, 5.2.17, 5.2.18, 5.2.19, 5.2.20, 5.2.21, 5.2.22, 5.2.23, 5.2.24, 5.2.25, 5.2.26, 5.2.27, 5.2.28, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.2.0, 6.3.0, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.7.1, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2, 6.9.3

Impact

Arbitrary additional email headers can be injected via crafted From or Sender headers.

Patches

Fixed in 2.2.1

Workarounds

Filter user-supplied values prior to using them in From or Sender properties.

References

https://nvd.nist.gov/vuln/detail/CVE-2012-0796

For more information

If you have any questions or comments about this advisory:

References: