CVE-2018-19296
published 2018-11-16CVE-2018-19296: PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
PriorityP341high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
2.21%
80.4th percentile
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libphp-phpmailer | < libphp-phpmailer 6.2.0-2 (bookworm) | libphp-phpmailer 6.2.0-2 (bookworm) |
| debian | libphp-phpmailer | < libphp-phpmailer 5.2.14+dfsg-2.4 (bookworm) | libphp-phpmailer 5.2.14+dfsg-2.4 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| phpmailer | phpmailer | >= 5.0.0 < 5.2.27 | 5.2.27 |
| phpmailer | phpmailer | >= 6.0.0 < 6.0.6 | 6.0.6 |
| phpmailer | phpmailer | >= 6.1.8 < 6.4.1 | 6.4.1 |
| phpmailer_project | phpmailer | < 5.2.27 | 5.2.27 |
| phpmailer_project | phpmailer | >= 6.0.0 < 6.0.6 | 6.0.6 |
| phpmailer_project | phpmailer | 6.1.8 – 6.4.0 | — |
| wordpress | wordpress | >= 3.7 < 3.7.36 | 3.7.36 |
| wordpress | wordpress | 3.7 – 5.7 | — |
| wordpress | wordpress | >= 3.8 < 3.8.36 | 3.8.36 |
| wordpress | wordpress | >= 3.9 < 3.9.34 | 3.9.34 |
| wordpress | wordpress | >= 4.0 < 4.0.33 | 4.0.33 |
| wordpress | wordpress | >= 4.1 < 4.1.33 | 4.1.33 |
| wordpress | wordpress | >= 4.2 < 4.2.30 | 4.2.30 |
| wordpress | wordpress | >= 4.3 < 4.3.26 | 4.3.26 |
| wordpress | wordpress | >= 4.4 < 4.4.25 | 4.4.25 |
| wordpress | wordpress | >= 4.5 < 4.5.24 | 4.5.24 |
| wordpress | wordpress | >= 4.6 < 4.6.21 | 4.6.21 |
| wordpress | wordpress | >= 4.7 < 4.7.21 | 4.7.21 |
| wordpress | wordpress | >= 4.8 < 4.8.17 | 4.8.17 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa8.8HIGH
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHPMailer vulnerabilities
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2021-3603 [CRITICAL] PHPMailer vulnerabilities
Title: PHPMailer vulnerabilities
Summary: Several security issues were fixed in PHPMailer.
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when addi
Ubuntu
PHPMailer vulnerability
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] PHPMailer vulnerability
Title: PHPMailer vulnerability
Summary: An incomplete fix was discovered in PHPMailer.
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ub
WordPress
WordPress 5.7.2 Security Release
vendor_wordpress·2021-05-13·CVSS 8.8
CVE-2020-36326 [HIGH] WordPress 5.7.2 Security Release
Title: WordPress 5.7.2 Security Release
WordPress 5.7.2 is now available.
This security release features one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.7.2 is a short-cycle security release. The next major release will be version 5.8.
You can update to WordPress 5.7.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.
If you have sites that support automatic background updates, they’ve already started the update process.
Security Updates
One security issue affecting WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the follow
Debian
CVE-2020-36326: libphp-phpmailer - PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserializati...
vendor_debian·2020·CVSS 8.8
CVE-2020-36326 [HIGH] CVE-2020-36326: libphp-phpmailer - PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserializati...
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
Scope: local
bookworm: resolved (fixed in 6.2.0-2)
bullseye: resolved (fixed in 6.2.0-2)
forky: resolved (fixed in 6.2.0-2)
sid: resolved (fixed in 6.2.0-2)
trixie: resolved (fixed in 6.2.0-2)
Debian
CVE-2018-19296: libphp-phpmailer - PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injectio...
vendor_debian·2018·CVSS 8.8
CVE-2018-19296 [HIGH] CVE-2018-19296: libphp-phpmailer - PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injectio...
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
Scope: local
bookworm: resolved (fixed in 5.2.14+dfsg-2.4)
bullseye: resolved (fixed in 5.2.14+dfsg-2.4)
forky: resolved (fixed in 5.2.14+dfsg-2.4)
sid: resolved (fixed in 5.2.14+dfsg-2.4)
trixie: resolved (fixed in 5.2.14+dfsg-2.4)
OSV
libphp-phpmailer vulnerability
osv·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] libphp-phpmailer vulnerability
libphp-phpmailer vulnerability
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yo
OSV
libphp-phpmailer vulnerabilities
osv·2023-03-15·CVSS 9.8
CVE-2016-10033 [CRITICAL] libphp-phpmailer vulnerabilities
libphp-phpmailer vulnerabilities
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when adding attachments to messages,
which could lead to relative im
GHSA
Object injection in PHPMailer/PHPMailer
ghsa·2021-05-04·CVSS 8.8
CVE-2020-36326 [HIGH] CWE-502 Object injection in PHPMailer/PHPMailer
Object injection in PHPMailer/PHPMailer
### Impact
This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info.
### Patches
This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected.
### Workarounds
Validate paths to loaded files using the same pattern as used
OSV
Object injection in PHPMailer/PHPMailer
osv·2021-05-04·CVSS 8.8
CVE-2020-36326 [HIGH] Object injection in PHPMailer/PHPMailer
Object injection in PHPMailer/PHPMailer
### Impact
This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info.
### Patches
This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected.
### Workarounds
Validate paths to loaded files using the same pattern as used
OSV
CVE-2020-36326: PHPMailer 6
osv·2021-04-28·CVSS 8.8
CVE-2020-36326 [HIGH] CVE-2020-36326: PHPMailer 6
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
OSV
Phar object injection in PHPMailer
osv·2020-03-05·CVSS 8.8
CVE-2018-19296 [HIGH] Phar object injection in PHPMailer
Phar object injection in PHPMailer
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing phar:// paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr.
### Impact
Object injection, possible remote code execution
### Patches
Fixed in 6.0.6 and 5.2.27
### Workarounds
Validate and sanitise user input before using.
### References
https://nvd.nist.gov/vuln/detail/CVE-2018-19296
### For more information
If you have any questions
GHSA
Phar object injection in PHPMailer
ghsa·2020-03-05·CVSS 8.8
CVE-2018-19296 [HIGH] CWE-1321 Phar object injection in PHPMailer
Phar object injection in PHPMailer
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing phar:// paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr.
### Impact
Object injection, possible remote code execution
### Patches
Fixed in 6.0.6 and 5.2.27
### Workarounds
Validate and sanitise user input before using.
### References
https://nvd.nist.gov/vuln/detail/CVE-2018-19296
### For more information
If you have any questions
OSV
CVE-2018-19296: PHPMailer before 5
osv·2018-11-16·CVSS 8.8
CVE-2018-19296 [HIGH] CVE-2018-19296: PHPMailer before 5
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27https://github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6https://lists.debian.org/debian-lts-announce/2018/12/msg00020.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/https://www.debian.org/security/2018/dsa-4351https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27https://github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6https://lists.debian.org/debian-lts-announce/2018/12/msg00020.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/https://www.debian.org/security/2018/dsa-4351
2018-11-16
Published