PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php
.
Shell command injection, remotely exploitable if host application does not filter user data appropriately.
Fixed in 1.7.4
Filter and validate user-supplied data before putting in the into the Sender
property.
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
If you have any questions or comments about this advisory: * Open a private issue in the PHPMailer project