CVE-2015-8476 — Improper Input Validation in Phpmailer

CWE-20 — Improper Input Validation9 documents6 sources

Severity

5.0MEDIUMNVD

CNA4.0OSV4.0

EPSS

0.9%

top 23.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmailer Phpmailer Project Phpmailer Debian Linux

Timeline

PublishedDec 16

Latest updateMar 5

Description

Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶Packagistphpmailer/phpmailer5.0.0 — 5.2.14

▶NVDphpmailer_project/phpmailer5.2.13

Also affects: Debian Linux 6.0, 7.0, 8.0

🔴Vulnerability Details

GHSA

SMTP Injection in PHPMailer↗2020-03-05

▶

OSV

SMTP Injection in PHPMailer↗2020-03-05

▶

CVEList

CVE-2015-8476: Multiple CRLF injection vulnerabilities in PHPMailer before 5↗2015-12-16

▶

OSV

CVE-2015-8476: Multiple CRLF injection vulnerabilities in PHPMailer before 5↗2015-12-16

▶

📋Vendor Advisories

Debian

CVE-2015-8476: libphp-phpmailer - Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attacke...↗2015

▶

💬Community

Bugzilla

CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses [epel-all]↗2015-12-07

▶

Bugzilla

CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses↗2015-12-07

▶

Bugzilla

CVE-2015-8476 php-PHPMailer: Message injection caused by line breaks in addresses [fedora-all]↗2015-12-07

▶