CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
71.7%
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in
untrusted code being called (if such code is injected into the host
project’s scope by other means). If the $patternselect parameter to
validateAddress() is set to ‘php’ (the default, defined by
PHPMailer::$validator), and the global namespace contains a function called
php, it will be called in preference to the built-in validator of the same
name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as
validator function names.
Author | Note |
---|---|
ccdm94 | the vulnerable code section seems to have been introduced by commit 77c0bc8d (v.5.2.15). For this reason, bionic and earlier are not vulnerable. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | libphp-phpmailer | < 6.0.6-0.1ubuntu0.1~esm1 | UNKNOWN |
ubuntu | 22.04 | noarch | libphp-phpmailer | < 6.2.0-2ubuntu0.1~esm1 | UNKNOWN |
github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3
github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3 (v6.5.0)
launchpad.net/bugs/cve/CVE-2021-3603
nvd.nist.gov/vuln/detail/CVE-2021-3603
security-tracker.debian.org/tracker/CVE-2021-3603
ubuntu.com/security/notices/USN-5956-1
www.cve.org/CVERecord?id=CVE-2021-3603
www.huntr.dev/bounties/1-PHPMailer/PHPMailer/
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
71.7%