MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTczOG0tZjMzdi1xYzJy

Low EPSS: 0.00948% (0.75428 Percentile) EPSS:

Permalink JSON

SMTP Injection in PHPMailer

Affected Packages	Affected Versions	Fixed Versions
packagist:phpmailer/phpmailer	>= 5.0.0, < 5.2.14	5.2.14
1,306 Dependent packages 19,318 Dependent repositories 79,187,334 Downloads total Affected Version Ranges All affected versions 5.2.2, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13 All unaffected versions 5.2.14, 5.2.15, 5.2.16, 5.2.17, 5.2.18, 5.2.19, 5.2.20, 5.2.21, 5.2.22, 5.2.23, 5.2.24, 5.2.25, 5.2.26, 5.2.27, 5.2.28, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.2.0, 6.3.0, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.7.1, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2, 6.9.3

Impact

Attackers could inject arbitrary SMTP commands via by exploiting the fact that valid email addresses may contain line breaks, which are not handled correctly in some contexts.

Patches

Fixed in 5.2.14 in this commit.

Workarounds

Manually strip line breaks from email addresses before passing them to PHPMailer.

References

https://nvd.nist.gov/vuln/detail/CVE-2015-8476

For more information

If you have any questions or comments about this advisory:

Open a private issue in the PHPMailer project

References:

Identifiers

GHSA-738m-f33v-qc2r

CVE-2015-8476

Risk

Severity

Low

EPSS

EPSS Percentage: 0.00948

EPSS Percentile: 0.75428

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/PHPMailer/PHPMailer

Date and time

Published

over 5 years ago

Updated

over 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories