Issue ##3263256: Fix CVEs, update phpmailer to 6.5.0 (!10) · Merge requests · project / smtp

mralexho requested to merge issue/smtp-3263256:3263256-update-phpmailer-dependency into 8.x-1.x Feb 08, 2022

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3603 Affected versions of this package are vulnerable to Arbitrary Code Execution. If the patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34551 Affected versions of this package are vulnerable to Arbitrary Code Execution. If the $lang_path parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to persuade the server to load a file from that UNC path, a script file under their control may be executed. This vulnerability only applies to systems that resolve UNC paths, typically only Microsoft Windows. PHPMailer 6.5.0 mitigates this by no longer treating translation files as PHP code, but by parsing their text content directly. This approach avoids the possibility of executing unknown code while retaining backward compatibility.

Edited Feb 08, 2022 by mralexho

Issue ##3263256: Fix CVEs, update phpmailer to 6.5.0

Merge request reports