GHSA-mj5r-x73q-fjw6

Suggest an improvement
Source
https://github.com/advisories/GHSA-mj5r-x73q-fjw6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-mj5r-x73q-fjw6/GHSA-mj5r-x73q-fjw6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mj5r-x73q-fjw6
Aliases
  • CVE-2024-53860
Published
2024-11-27T21:59:28Z
Modified
2024-12-02T18:22:37.741354Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
SPEmailHandler-PHP has Potential Abuse for Sending Arbitrary Emails
Details

Impact

Messages sent using this script are vulnerable to abuse, as the script allows anybody to specify arbitrary email recipients and include user-provided content in confirmation emails. This could enable malicious actors to use your server to send spam, phishing emails, or other malicious content, potentially damaging your domain's reputation and leading to blacklisting by email providers.

Patches

Patched in version 1.0.0 by removing user-provided content from confirmation emails. All pre-release versions (alpha and beta) are vulnerable to this issue and should not be used.

Workarounds

There are no workarounds for this issue. Users must upgrade to version 1.0.0 to mitigate the vulnerability.

Database specific
{
    "nvd_published_at": "2024-11-27T22:15:05Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-27T21:59:28Z"
}
References

Affected packages

Packagist / spencer14420/sp-php-email-handler

Package

Name
spencer14420/sp-php-email-handler
Purl
pkg:composer/spencer14420/sp-php-email-handler

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.0

Affected versions

1.*

1.0.0-alpha
1.0.0-alpha2
1.0.0-alpha3
1.0.0-alpha4
1.0.0-beta1
1.0.0-beta2