First published: Wed Dec 28 2016(Updated: )
### Impact The `isMail` transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the `mail` command and consequently execute arbitrary code by leveraging improper interaction between the `escapeshellarg` function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. This issue really emphasises that it's worth avoiding the built-in PHP `mail()` function entirely. ### Patches Fixed in 5.2.20 ### Workarounds Send via SMTP to localhost instead of calling the `mail()` function. ### References https://nvd.nist.gov/vuln/detail/CVE-2016-10045 See also https://nvd.nist.gov/vuln/detail/CVE-2016-10033 ### For more information If you have any questions or comments about this advisory: * Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
composer/phpmailer/phpmailer | >=5.0.0<5.2.20 | 5.2.20 |
composer/phpmailer/phpmailer | >=5.0.0<5.2.20 | 5.2.20 |
Phpmailer Project Phpmailer | <5.2.20 | |
WordPress WordPress | <=4.7 | |
Joomla Joomla\! | >=1.5.0<=3.6.5 | |
debian/libphp-phpmailer | 6.2.0-2 6.6.3-1 6.9.1-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-10045 is a vulnerability that allows remote attackers to execute arbitrary code by passing extra parameters to the `mail` command in PHPMailer before version 5.2.20.
CVE-2016-10045 has a severity rating of 9.8, which is considered critical.
The affected software includes PHPMailer versions prior to 5.2.20 and certain versions of libphp-phpmailer, WordPress, and Joomla.
To fix CVE-2016-10045, upgrade PHPMailer to version 5.2.20 or newer, or apply the recommended patches for the affected software packages.
You can find more information about CVE-2016-10045 on the official GitHub page of PHPMailer and the National Vulnerability Database (NVD) website.