CVE-2016-10045 — Remote code execution in PHPMailer

Description

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

How to fix CVE-2016-10045

To remediate CVE-2016-10045, upgrade the affected package to a fixed version below.

—upgrade to 5.2.0-r1 or later
—upgrade to 5.2.4-r0 or later
—upgrade to 5.2.20 or later

Is CVE-2016-10045 being exploited?

Likely — EPSS is 93.1%, placing CVE-2016-10045 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

from 0, < 5.2.0-r1
from 0, < 5.2.4-r0
>= 5.0.0, < 5.2.20

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (17)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10045
ADVISORYsecurity.alpinelinux.org/vuln/CVE-2016-10045
PATCHgithub.com/PHPMailer/PHPMailer
WEBopenwall.com/lists/oss-security/2016/12/28/1
WEB