PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in
Shell command injection, remotely exploitable if host application does not filter user data appropriately.
Fixed in 1.7.4
Filter and validate user-supplied data before putting in the into the
If you have any questions or comments about this advisory: * Open a private issue in the PHPMailer project