Issue ##3263256: Fix CVEs, update phpmailer to 6.5.0
Closes #3263256
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3603
Affected versions of this package are vulnerable to Arbitrary Code Execution. If the patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::
validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34551 Affected versions of this package are vulnerable to Arbitrary Code Execution. If the $lang_path parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to persuade the server to load a file from that UNC path, a script file under their control may be executed. This vulnerability only applies to systems that resolve UNC paths, typically only Microsoft Windows. PHPMailer 6.5.0 mitigates this by no longer treating translation files as PHP code, but by parsing their text content directly. This approach avoids the possibility of executing unknown code while retaining backward compatibility.