Skip to content

PHPMailer Shell command injection

High severity GitHub Reviewed Published Mar 5, 2020 in PHPMailer/PHPMailer • Updated Feb 2, 2024

Package

composer phpmailer/phpmailer (Composer)

Affected versions

< 1.7.4

Patched versions

1.7.4

Description

PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.

Impact

Shell command injection, remotely exploitable if host application does not filter user data appropriately.

Patches

Fixed in 1.7.4

Workarounds

Filter and validate user-supplied data before putting in the into the Sender property.

References

https://nvd.nist.gov/vuln/detail/CVE-2007-3215

For more information

If you have any questions or comments about this advisory:

References

@Synchro Synchro published to PHPMailer/PHPMailer Mar 5, 2020
Published to the GitHub Advisory Database Feb 2, 2024
Reviewed Feb 2, 2024
Last updated Feb 2, 2024

Severity

High

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(87th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2007-3215

GHSA ID

GHSA-6h78-85v2-mmch

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.