GHSA-6h78-85v2-mmch
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6h78-85v2-mmch
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-6h78-85v2-mmch/GHSA-6h78-85v2-mmch.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6h78-85v2-mmch
- Aliases
- Published
- 2024-02-02T20:43:55Z
- Modified
- 2024-02-02T20:58:49.494723Z
- Summary
- PHPMailer Shell command injection
- Details
-
PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in
class.phpmailer.php.Impact
Shell command injection, remotely exploitable if host application does not filter user data appropriately.
Patches
Fixed in 1.7.4
Workarounds
Filter and validate user-supplied data before putting in the into the
Senderproperty.References
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
For more information
If you have any questions or comments about this advisory: * Open a private issue in the PHPMailer project
- Database specific
{ "nvd_published_at": null, "github_reviewed": true, "github_reviewed_at": "2024-02-02T20:43:55Z", "cwe_ids": [], "severity": "HIGH" }- References
-
- https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-6h78-85v2-mmch
- https://cxsecurity.com/issue/WLB-2007060063
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34818
- https://github.com/PHPMailer/PHPMailer
- https://seclists.org/fulldisclosure/2011/Oct/223
- https://sourceforge.net/p/phpmailer/bugs/192
- https://web.archive.org/web/20070714054359/http://larholm.com/2007/06/11/phpmailer-0day-remote-execution
- https://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
Affected packages
Packagist / phpmailer/phpmailer
Package
- Name
- phpmailer/phpmailer
- Purl
- pkg:composer/phpmailer/phpmailer