Remote code execution in PHPMailer
Published:
2018-12-07 23:07:28
| Severity | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE ID | CVE-2018-19296 |
| CVSSv3 |
8.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] |
| CWE ID |
CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
PHPMailer |
| Vulnerable software versions |
PHPMailer 5.2.1 PHPMailer 5.2.2 PHPMailer 5.2.3 Show more |
| Vendor URL | phpmailer.sourceforge.net |
Security Advisory
1) Object injection attack
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to object injection attack. A remote unauthenticated attacker can send a specially crafted request, conduct object injection attack and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
RemediationThe vulnerability has been fixed in the versions 5.2.27, 6.0.6.
External linkshttps://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27
https://github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6
