cbcvebase.
CVE-2021-3603
published 2021-06-17

CVE-2021-3603: PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by…

PriorityP347high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
2.26%
80.8th percentile
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianlibphp-phpmailer< libphp-phpmailer 6.6.3-1 (bookworm)libphp-phpmailer 6.6.3-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
phpmailerphpmailer>= 0 < 6.5.06.5.0
phpmailerphpmailer>= unspecified < 6.5.06.5.0
phpmailer_projectphpmailer<= 6.4.1

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa8.1HIGH
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.