CVE-2015-8476
published 2015-12-16CVE-2015-8476: Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address…
PriorityP428medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
1.99%
78.1th percentile
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libphp-phpmailer | < libphp-phpmailer 5.2.14+dfsg-1 (bookworm) | libphp-phpmailer 5.2.14+dfsg-1 (bookworm) |
| phpmailer | phpmailer | >= 5.0.0 < 5.2.14 | 5.2.14 |
| phpmailer_project | phpmailer | <= 5.2.13 | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
vendor_debian4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SMTP Injection in PHPMailer
ghsa·2020-03-05·CVSS 5.0
CVE-2015-8476 [MEDIUM] CWE-20 SMTP Injection in PHPMailer
SMTP Injection in PHPMailer
### Impact
Attackers could inject arbitrary SMTP commands via by exploiting the fact that valid email addresses may contain line breaks, which are not handled correctly in some contexts.
### Patches
Fixed in 5.2.14 in [this commit](https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0).
### Workarounds
Manually strip line breaks from email addresses before passing them to PHPMailer.
### References
https://nvd.nist.gov/vuln/detail/CVE-2015-8476
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
OSV
SMTP Injection in PHPMailer
osv·2020-03-05·CVSS 5.0
CVE-2015-8476 [MEDIUM] SMTP Injection in PHPMailer
SMTP Injection in PHPMailer
### Impact
Attackers could inject arbitrary SMTP commands via by exploiting the fact that valid email addresses may contain line breaks, which are not handled correctly in some contexts.
### Patches
Fixed in 5.2.14 in [this commit](https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0).
### Workarounds
Manually strip line breaks from email addresses before passing them to PHPMailer.
### References
https://nvd.nist.gov/vuln/detail/CVE-2015-8476
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
OSV
CVE-2015-8476: Multiple CRLF injection vulnerabilities in PHPMailer before 5
osv·2015-12-16·CVSS 4.0
CVE-2015-8476 [MEDIUM] CVE-2015-8476: Multiple CRLF injection vulnerabilities in PHPMailer before 5
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.
Debian
CVE-2015-8476: libphp-phpmailer - Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attacke...
vendor_debian·2015·CVSS 4.0
CVE-2015-8476 [MEDIUM] CVE-2015-8476: libphp-phpmailer - Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attacke...
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.
Scope: local
bookworm: resolved (fixed in 5.2.14+dfsg-1)
bullseye: resolved (fixed in 5.2.14+dfsg-1)
forky: resolved (fixed in 5.2.14+dfsg-1)
sid: resolved (fixed in 5.2.14+dfsg-1)
trixie: resolved (fixed in 5.2.14+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses [epel-all]
bugzilla·2015-12-07·CVSS 5.0
CVE-2015-8476 [MEDIUM] CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses [epel-all]
CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses
bugzilla·2015-12-07·CVSS 5.0
CVE-2015-8476 [MEDIUM] CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses
CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses
A message injection vulnerability was found in php-PHPMailer affecting versions before 5.2.14, caused by line breaks allowed in addresses, which is valid in RFC5322, but allowing such addresses resulted in invalid RFC5321 SMTP commands. These addresses were allowed by the 'pcre8' validator pattern.
Upstream patch:
https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0
CVE assignment:
http://seclists.org/oss-sec/2015/q4/435
Discussion:
Created php-PHPMailer tracking bugs for this issue:
Affects: fedora-all [bug 1289094]
Affects: epel-all [bug 1289095]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a c
Bugzilla
CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses [fedora-all]
bugzilla·2015-12-07·CVSS 5.0
CVE-2015-8476 [MEDIUM] CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses [fedora-all]
CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppo
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.htmlhttp://www.debian.org/security/2015/dsa-3416http://www.openwall.com/lists/oss-security/2015/12/04/5http://www.openwall.com/lists/oss-security/2015/12/05/1http://www.securityfocus.com/bid/78619https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.htmlhttp://www.debian.org/security/2015/dsa-3416http://www.openwall.com/lists/oss-security/2015/12/04/5http://www.openwall.com/lists/oss-security/2015/12/05/1http://www.securityfocus.com/bid/78619https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
2015-12-16
Published