CVE-2018-19296 — Deserialization of Untrusted Data in Project Phpmailer

CWE-502 — Deserialization of Untrusted Data CWE-1321 — Prototype Pollution CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-641 — Improper Restriction of Names for Files and Other Resources17 documents7 sources

Severity

9.8CRITICALNVD

NVD8.8CNA8.8GHSA8.8OSV8.8

EPSS

1.6%

top 18.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmailer Project Phpmailer Wordpress Phpmailer +2 more

Timeline

PublishedNov 16

Latest updateMar 15

Description

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Packagistphpmailer/phpmailer5.0.0 — 5.2.27+2

▶NVDphpmailer_project/phpmailer6.0.0 — 6.0.6+2

▶NVDwordpress/wordpress3.7 — 3.7.36+21

Also affects: Debian Linux 8.0, 9.0, Fedora 33, 34

🔴Vulnerability Details

OSV

libphp-phpmailer vulnerability↗2023-03-15

▶

OSV

libphp-phpmailer vulnerabilities↗2023-03-15

▶

GHSA

Object injection in PHPMailer/PHPMailer↗2021-05-04

▶

OSV

Object injection in PHPMailer/PHPMailer↗2021-05-04

▶

CVEList

CVE-2020-36326: PHPMailer 6↗2021-04-28

▶

📋Vendor Advisories

Ubuntu

PHPMailer vulnerabilities↗2023-03-15

▶

Ubuntu

PHPMailer vulnerability↗2023-03-15

▶

WordPress

WordPress 5.7.2 Security Release↗2021-05-13

▶

Debian

CVE-2020-36326: libphp-phpmailer - PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserializati...↗2020

▶

Debian

CVE-2018-19296: libphp-phpmailer - PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injectio...↗2018

▶