Phpmailerproject Phpmailer
By the Year
In 2024 there have been 0 vulnerabilities in Phpmailerproject Phpmailer . Phpmailer did not have any published security vulnerabilities last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 0 | 0.00 |
2022 | 0 | 0.00 |
2021 | 2 | 8.95 |
2020 | 1 | 7.50 |
2019 | 0 | 0.00 |
2018 | 1 | 8.80 |
It may take a day or so for new Phpmailer vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Phpmailerproject Phpmailer Security Vulnerabilities
PHPMailer 6.4.1 and earlier contain a vulnerability
CVE-2021-3603
8.1 - High
- June 17, 2021
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
Inclusion of Functionality from Untrusted Control Sphere
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname
CVE-2020-36326
9.8 - Critical
- April 28, 2021
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
Marshaling, Unmarshaling
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character
CVE-2020-13625
7.5 - High
- June 08, 2020
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
Output Sanitization
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
CVE-2018-19296
8.8 - High
- November 16, 2018
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
Marshaling, Unmarshaling
The isMail transport in PHPMailer before 5.2.20 might
CVE-2016-10045
9.8 - Critical
- December 30, 2016
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Command Injection
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might
CVE-2016-10033
9.8 - Critical
- December 30, 2016
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Argument Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Canonical Ubuntu Linux or by Phpmailerproject? Click the Watch button to subscribe.