PHPMailer is vulnerable to multiple CRLF injection attacks. The attacks exist because it does not filter address inputs with line breaks. A malicious user can pass an email address to the validateAddress
function in class.phpmailer.php
or pass SMTP commands to the sendCommand
function in class.smtp.php
, leading to a message injection attack.
CPE | Name | Operator | Version |
---|---|---|---|
phpmailer/phpmailer | le | 5.2.13 |
lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html
lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html
www.debian.org/security/2015/dsa-3416
www.openwall.com/lists/oss-security/2015/12/04/5
www.openwall.com/lists/oss-security/2015/12/05/1
www.securityfocus.com/bid/78619
github.com/advisories/GHSA-738m-f33v-qc2r
github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14