CVE-2007-3215
published 2007-06-14CVE-2007-3215: PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend…
PriorityP340medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
2.41%
82.0th percentile
PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libphp-phpmailer | < libphp-phpmailer 1.73-4 (bookworm) | libphp-phpmailer 1.73-4 (bookworm) |
| debian | wordpress | < libphp-phpmailer 1.73-4 (bookworm) | libphp-phpmailer 1.73-4 (bookworm) |
| phpmailer | phpmailer | — | — |
| phpmailer | phpmailer | — | — |
| phpmailer | phpmailer | — | — |
| phpmailer | phpmailer | — | — |
| phpmailer | phpmailer | — | — |
| phpmailer | phpmailer | >= 0 < 5.2.0 | 5.2.0 |
| phpmailer | phpmailer | >= 0 < 1.7.4 | 1.7.4 |
| wordpress | wordpress | >= 0 < 2.2.1-1 | 2.2.1-1 |
| wordpress | wordpress | >= 0 < 2.2.1-1 | 2.2.1-1 |
| wordpress | wordpress | >= 0 < 2.2.1-1 | 2.2.1-1 |
| wordpress | wordpress | >= 0 < 2.2.1-1 | 2.2.1-1 |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_debian6.8HIGH
vendor_ubuntu6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PHPMailer Local file inclusion
ghsa·2024-02-02·CVSS 7.5
CVE-2006-5734 [HIGH] PHPMailer Local file inclusion
PHPMailer Local file inclusion
### Impact
Arbitrary local file inclusion via the `$lang` property, remotely exploitable if host application passes unfiltered user data into that property. The 3 CVEs listed are applications that used PHPMailer that were vulnerable to this problem.
### Patches
It's not known exactly when this was fixed in the host applications, but it was fixed in PHPMailer 5.2.0.
### Workarounds
Filter and validate user-supplied data before use.
### References
https://nvd.nist.gov/vuln/detail/CVE-2006-5734
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
https://nvd.nist.gov/vuln/detail/CVE-2007-2021
Example exploit: https://www.exploit-db.com/exploits/14893
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the
GHSA
PHPMailer Shell command injection
ghsa·2024-02-02·CVSS 6.8
CVE-2007-3215 [MEDIUM] PHPMailer Shell command injection
PHPMailer Shell command injection
PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in `class.phpmailer.php`.
### Impact
Shell command injection, remotely exploitable if host application does not filter user data appropriately.
### Patches
Fixed in 1.7.4
### Workarounds
Filter and validate user-supplied data before putting in the into the `Sender` property.
### References
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
OSV
PHPMailer Local file inclusion
osv·2024-02-02·CVSS 7.5
CVE-2006-5734 [HIGH] PHPMailer Local file inclusion
PHPMailer Local file inclusion
### Impact
Arbitrary local file inclusion via the `$lang` property, remotely exploitable if host application passes unfiltered user data into that property. The 3 CVEs listed are applications that used PHPMailer that were vulnerable to this problem.
### Patches
It's not known exactly when this was fixed in the host applications, but it was fixed in PHPMailer 5.2.0.
### Workarounds
Filter and validate user-supplied data before use.
### References
https://nvd.nist.gov/vuln/detail/CVE-2006-5734
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
https://nvd.nist.gov/vuln/detail/CVE-2007-2021
Example exploit: https://www.exploit-db.com/exploits/14893
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the
OSV
PHPMailer Shell command injection
osv·2024-02-02·CVSS 6.8
CVE-2007-3215 [MEDIUM] PHPMailer Shell command injection
PHPMailer Shell command injection
PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in `class.phpmailer.php`.
### Impact
Shell command injection, remotely exploitable if host application does not filter user data appropriately.
### Patches
Fixed in 1.7.4
### Workarounds
Filter and validate user-supplied data before putting in the into the `Sender` property.
### References
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
OSV
CVE-2007-3215: PHPMailer 1
osv·2007-06-14·CVSS 6.8
CVE-2007-3215 [MEDIUM] CVE-2007-3215: PHPMailer 1
PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.
Ubuntu
Moodle vulnerabilities
vendor_ubuntu·2009-06-24·CVSS 6.8
CVE-2009-0500 [MEDIUM] Moodle vulnerabilities
Title: Moodle vulnerabilities
Summary: Moodle vulnerabilities
Thor Larholm discovered that PHPMailer, as used by Moodle, did not
correctly escape email addresses. A local attacker with direct access
to the Moodle database could exploit this to execute arbitrary commands
as the web server user. (CVE-2007-3215)
Nigel McNie discovered that fetching https URLs did not correctly escape
shell meta-characters. An authenticated remote attacker could execute
arbitrary commands as the web server user, if curl was installed and
configured. (CVE-2008-4796, MSA-09-0003)
It was discovered that Smarty (also included in Moodle), did not
correctly filter certain inputs. An authenticated remote attacker could
exploit this to execute arbitrary PHP commands as the web server user.
(CVE-2008-4810, CVE-2008
Debian
CVE-2007-3215: libphp-phpmailer - PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execu...
vendor_debian·2007·CVSS 6.8
CVE-2007-3215 [MEDIUM] CVE-2007-3215: libphp-phpmailer - PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execu...
PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.
Scope: local
bookworm: resolved (fixed in 1.73-4)
bullseye: resolved (fixed in 1.73-4)
forky: resolved (fixed in 1.73-4)
sid: resolved (fixed in 1.73-4)
trixie: resolved (fixed in 1.73-4)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/http://osvdb.org/37206http://osvdb.org/76139http://seclists.org/fulldisclosure/2011/Oct/223http://secunia.com/advisories/25626http://secunia.com/advisories/25755http://secunia.com/advisories/25758http://securityreason.com/securityalert/2802http://sourceforge.net/project/shownotes.php?release_id=517428&group_id=157374http://www.debian.org/security/2007/dsa-1315http://www.securityfocus.com/archive/1/471065/100/0/threadedhttp://www.securityfocus.com/bid/24417http://www.vupen.com/english/advisories/2007/2161http://www.vupen.com/english/advisories/2007/2267http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rcehttps://exchange.xforce.ibmcloud.com/vulnerabilities/34818https://sourceforge.net/tracker/index.php?func=detail&aid=1734811&group_id=26031&atid=385707http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/http://osvdb.org/37206http://osvdb.org/76139http://seclists.org/fulldisclosure/2011/Oct/223http://secunia.com/advisories/25626http://secunia.com/advisories/25755http://secunia.com/advisories/25758http://securityreason.com/securityalert/2802http://sourceforge.net/project/shownotes.php?release_id=517428&group_id=157374http://www.debian.org/security/2007/dsa-1315http://www.securityfocus.com/archive/1/471065/100/0/threadedhttp://www.securityfocus.com/bid/24417http://www.vupen.com/english/advisories/2007/2161http://www.vupen.com/english/advisories/2007/2267http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rcehttps://exchange.xforce.ibmcloud.com/vulnerabilities/34818https://sourceforge.net/tracker/index.php?func=detail&aid=1734811&group_id=26031&atid=385707
2007-06-14
Published