CVE-2021-3603
published 2021-06-17CVE-2021-3603: PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by…
PriorityP347high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
2.26%
80.8th percentile
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libphp-phpmailer | < libphp-phpmailer 6.6.3-1 (bookworm) | libphp-phpmailer 6.6.3-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| phpmailer | phpmailer | >= 0 < 6.5.0 | 6.5.0 |
| phpmailer | phpmailer | >= unspecified < 6.5.0 | 6.5.0 |
| phpmailer_project | phpmailer | <= 6.4.1 | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa8.1HIGH
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libphp-phpmailer vulnerability
osv·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] libphp-phpmailer vulnerability
libphp-phpmailer vulnerability
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yo
OSV
libphp-phpmailer vulnerabilities
osv·2023-03-15·CVSS 9.8
CVE-2016-10033 [CRITICAL] libphp-phpmailer vulnerabilities
libphp-phpmailer vulnerabilities
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when adding attachments to messages,
which could lead to relative im
GHSA
PHPMailer untrusted code may be run from an overridden address validator
ghsa·2021-06-22·CVSS 8.1
CVE-2021-3603 [HIGH] CWE-74 PHPMailer untrusted code may be run from an overridden address validator
PHPMailer untrusted code may be run from an overridden address validator
If a function is defined that has the same name as the default built-in email address validation scheme (`php`), it will be called in default configuration as when no validation scheme is provided, the default scheme's callable `php` was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling `validateAddress()`.
### Impact
Low impact – exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway.
### Patches
This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor B
OSV
PHPMailer untrusted code may be run from an overridden address validator
osv·2021-06-22·CVSS 8.1
CVE-2021-3603 [HIGH] PHPMailer untrusted code may be run from an overridden address validator
PHPMailer untrusted code may be run from an overridden address validator
If a function is defined that has the same name as the default built-in email address validation scheme (`php`), it will be called in default configuration as when no validation scheme is provided, the default scheme's callable `php` was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling `validateAddress()`.
### Impact
Low impact – exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway.
### Patches
This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor B
OSV
CVE-2021-3603: PHPMailer 6
osv·2021-06-17·CVSS 8.1
CVE-2021-3603 [HIGH] CVE-2021-3603: PHPMailer 6
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
Ubuntu
PHPMailer vulnerabilities
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2021-3603 [CRITICAL] PHPMailer vulnerabilities
Title: PHPMailer vulnerabilities
Summary: Several security issues were fixed in PHPMailer.
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when addi
Ubuntu
PHPMailer vulnerability
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] PHPMailer vulnerability
Title: PHPMailer vulnerability
Summary: An incomplete fix was discovered in PHPMailer.
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ub
Debian
CVE-2021-3603: libphp-phpmailer - PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted...
vendor_debian·2021·CVSS 8.1
CVE-2021-3603 [HIGH] CVE-2021-3603: libphp-phpmailer - PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted...
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
Scope: local
bookworm: resolved (fixed in 6.6.3-1)
bullseye: open
forky: resolved (fixed in 6.6.3-1)
sid: resolved (fixed in 6.6.3-1)
trixie: resolved (fixed in 6.6.3-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FJYSOFCUBS67J3TKR74SD3C454N7VTYM/https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FJYSOFCUBS67J3TKR74SD3C454N7VTYM/https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/
2021-06-17
Published