cbcvebase.
CVE-2008-5619
published 2008-12-17

CVE-2008-5619: html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
54.00%
98.9th percentile
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianroundcube< roundcube 0.1.1-9 (bookworm)roundcube 0.1.1-9 (bookworm)
phpmailerphpmailer>= 0 < 5.2.105.2.10
roundcubewebmail
roundcubewebmail

Detection & IOCsextracted from sources · hover to see the quote

pathbin/html2text.php
pathprogram/lib/html2text.php
commandwget -q --header="Content-Type: ''" -O - --post-data='{${phpinfo()}}' --no-check-certificate http://127.0.0.1/roundcubemail-0.2-alpha/bin/html2text.php
other{${EVAL(BASE64_DECODE($_SERVER[HTTP_ACCEPT]))}}
  • Monitor POST requests to bin/html2text.php or program/lib/html2text.php containing PHP curly/complex syntax payloads such as '{${...}}' in the POST body or HTTP headers (e.g., Accept header).
  • Detect exploitation attempts where the HTTP Accept header contains Base64-encoded PHP code, as the exploit delivers its payload via BASE64_DECODE($_SERVER[HTTP_ACCEPT]).
  • Alert on POST requests to html2text.php with body content matching the pattern '{${...}}' which triggers PHP code execution via preg_replace with the 'e' (eval) flag.
  • ·The exploit targets html2text.php only when it is directly accessible via HTTP POST; if the file is not web-accessible (e.g., restricted to CLI use only), the remote attack vector is eliminated.
  • ·PHP's disable_functions setting can limit post-exploitation impact (e.g., exec, system disabled), but does not prevent initial code execution via preg_replace eval.
  • ·PHP magic_quotes_gpc may complicate exploitation but can be bypassed using PHP curly syntax tricks to avoid single or double quotes.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.