#VU16334 Object injection attack in PHPMailer - CVE-2018-19296
Published: December 7, 2018 / Updated: December 7, 2018
Vulnerability identifier: #VU16334
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-19296
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PHPMailer
PHPMailer
Software vendor:
phpmailer.sourceforge.net
phpmailer.sourceforge.net
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to object injection attack. A remote unauthenticated attacker can send a specially crafted request, conduct object injection attack and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
The vulnerability has been fixed in the versions 5.2.27, 6.0.6.