Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-5619 — Code Injection in Phpmailer

CWE-94 — Code Injection11 documents9 sources

Severity

10.0CRITICALNVD

EPSS

77.7%

top 1.00%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Phpmailer Roundcube Webmail

Timeline

PublishedDec 17

Latest updateMay 14

Description

html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages2 packages

▶NVDroundcube/webmail0.2.1, 0.2.3+1

▶Packagistphpmailer/phpmailer< 5.2.10

🔴Vulnerability Details

OSV

PHPMailer susceptible to arbitrary code execution↗2022-05-14

▶

GHSA

PHPMailer susceptible to arbitrary code execution↗2022-05-14

▶

OSV

CVE-2008-5619: html2text↗2008-12-17

▶

CVEList

CVE-2008-5619: html2text↗2008-12-17

▶

💥Exploits & PoCs

Exploit-DB

Roundcube Webmail 0.2b - Remote Code Execution↗2008-12-22

▶

Exploit-DB

Roundcube Webmail 0.2-3 Beta - Code Execution↗2008-12-22

▶

📋Vendor Advisories

Ubuntu

Moodle vulnerabilities↗2009-06-24

▶

Red Hat

roundcubemail: Remotely exploitable code injection vulnerability↗2008-12-09

▶

Debian

CVE-2008-5619: roundcube - html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5...↗2008

▶

💬Community

Bugzilla

CVE-2008-5619 roundcubemail: Remotely exploitable code injection vulnerability↗2008-12-12

▶