Attackers could inject arbitrary SMTP commands via by exploiting the fact that valid email addresses may contain line breaks, which are not handled correctly in some contexts.
Fixed in 5.2.14 in this commit.
Manually strip line breaks from email addresses before passing them to PHPMailer.
https://nvd.nist.gov/vuln/detail/CVE-2015-8476
If you have any questions or comments about this advisory:
lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html
lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html
www.debian.org/security/2015/dsa-3416
www.openwall.com/lists/oss-security/2015/12/04/5
www.openwall.com/lists/oss-security/2015/12/05/1
www.securityfocus.com/bid/78619
github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2015-8476.yaml
github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
github.com/PHPMailer/PHPMailer/security/advisories/GHSA-738m-f33v-qc2r
nvd.nist.gov/vuln/detail/CVE-2015-8476