CVE-2015-8476 — libphp-phpmailer - security update

Description

Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.

How to fix CVE-2015-8476

To remediate CVE-2015-8476, upgrade the affected package to a fixed version below.

Debian/libphp-phpmailer—upgrade to 5.2.14+dfsg-1 or later
Debian/libphp-phpmailer—upgrade to 5.1-1+deb6u11 or later
—upgrade to 5.1-1.1 or later
—upgrade to 5.2.14 or later

Is CVE-2015-8476 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 5.2.14+dfsg-1
from 0, < 5.1-1+deb6u11
from 0, < 5.1-1.1
>= 5.0.0, < 5.2.14

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-8476
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-8476
WEBlists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html
WEBlists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html