CVE-2021-3603Inclusion of Functionality from Untrusted Control Sphere in Phpmailer

CWE-829Inclusion of Functionality from Untrusted Control SphereCWE-74Injection10 documents6 sources
Severity
8.1HIGHNVD
OSV9.8
EPSS
0.8%
top 26.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PhpmailerPhpmailer Project PhpmailerFedoraproject Fedora
Timeline
PublishedJun 17
Latest updateMar 15

Description

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validato

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

CVEListV5phpmailer/phpmailerunspecified6.5.0
Packagistphpmailer/phpmailer< 6.5.0

Also affects: Fedora 33, 34

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

6
OSV
libphp-phpmailer vulnerability2023-03-15
OSV
libphp-phpmailer vulnerabilities2023-03-15
GHSA
PHPMailer untrusted code may be run from an overridden address validator2021-06-22
OSV
PHPMailer untrusted code may be run from an overridden address validator2021-06-22
CVEList
Inclusion of Functionality from Untrusted Control Sphere in PHPMailer/PHPMailer2021-06-17

📋Vendor Advisories

3
Ubuntu
PHPMailer vulnerabilities2023-03-15
Ubuntu
PHPMailer vulnerability2023-03-15
Debian
CVE-2021-3603: libphp-phpmailer - PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted...2021
CVE-2021-3603 — Phpmailer vulnerability | cvebase