CVE-2016-10033
libphp-phpmailer - security update
9.8
CRITICAL
CVSS 3.1
⚠ KEVEPSS 94.4%
Description
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
How to fix CVE-2016-10033
To remediate CVE-2016-10033, upgrade the affected package to a fixed version below.
- —upgrade to 5.2.0-r1 or later
- —upgrade to 5.2.4-r0 or later
- —upgrade to 5.2.14+dfsg-2.1 or later
- —upgrade to 5.1-1.2 or later
- —upgrade to 5.2.9+dfsg-2+deb8u2 or later
- —upgrade to 5.2.18 or later
Is CVE-2016-10033 being exploited?
Yes — CVE-2016-10033 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (6)
- from 0, < 5.2.0-r1
- from 0, < 5.2.4-r0
- from 0, < 5.2.14+dfsg-2.1
- from 0, < 5.1-1.2
- from 0, < 5.2.9+dfsg-2+deb8u2
- >= 5.0.0, < 5.2.18
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |