PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, CVE-2017-11503. The code_generator.phps example did not filter user input prior to output. This file is distributed with a .phps
extension, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.
PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.
Fixed in 5.2.24
None.
https://nvd.nist.gov/vuln/detail/CVE-2017-11503
If you have any questions or comments about this advisory:
www.securityfocus.com/bid/99293
www.securitytracker.com/id/1039026
cxsecurity.com/issue/WLB-2017060181
github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2017-11503.yaml
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.24
github.com/PHPMailer/PHPMailer/security/advisories/GHSA-58mj-pw57-4vm2
nvd.nist.gov/vuln/detail/CVE-2017-11503
packetstormsecurity.com/files/143138/phpmailer-xss.txt