CVE-2020-36326 — Deserialization of Untrusted Data in Phpmailer

CWE-502 — Deserialization of Untrusted Data CWE-641 — Improper Restriction of Names for Files and Other Resources7 documents6 sources

Severity

9.8CRITICALNVD

CNA8.8GHSA8.8OSV8.8

EPSS

0.3%

top 46.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Phpmailer Phpmailer Project Phpmailer

Timeline

PublishedApr 28

Latest updateMay 13

Description

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Packagistphpmailer/phpmailer6.1.8 — 6.4.1

▶NVDphpmailer_project/phpmailer6.1.8 — 6.4.0

▶NVDwordpress/wordpress3.7 — 3.7.36+20

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Object injection in PHPMailer/PHPMailer↗2021-05-04

▶

OSV

Object injection in PHPMailer/PHPMailer↗2021-05-04

▶

CVEList

CVE-2020-36326: PHPMailer 6↗2021-04-28

▶

OSV

CVE-2020-36326: PHPMailer 6↗2021-04-28

▶

📋Vendor Advisories

WordPress

WordPress 5.7.2 Security Release↗2021-05-13

▶

Debian

CVE-2020-36326: libphp-phpmailer - PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserializati...↗2020

▶