critical
9.8
CWE
502 641
Advisory Published
Advisory Published
Updated

CVE-2020-36326

First published: Wed Apr 28 2021(Updated: )

### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.

Credit: cve@mitre.org cve@mitre.org

Affected SoftwareAffected VersionHow to fix
composer/phpmailer/phpmailer>=6.1.8<6.4.1
6.4.1
Phpmailer Project Phpmailer>=6.1.8<=6.4.0
WordPress WordPress>=3.7<3.7.36
WordPress WordPress>=3.8<3.8.36
WordPress WordPress>=3.9<3.9.34
WordPress WordPress>=4.0<4.0.33
WordPress WordPress>=4.1<4.1.33
WordPress WordPress>=4.2<4.2.30
WordPress WordPress>=4.3<4.3.26
WordPress WordPress>=4.4<4.4.25
WordPress WordPress>=4.5<4.5.24
WordPress WordPress>=4.6<4.6.21
WordPress WordPress>=4.7<4.7.21
WordPress WordPress>=4.8<4.8.17
WordPress WordPress>=4.9<4.9.18
WordPress WordPress>=5.0<5.0.13
WordPress WordPress>=5.1<5.1.10
WordPress WordPress>=5.2<5.2.11
WordPress WordPress>=5.3<5.3.8
WordPress WordPress>=5.4<5.4.6
WordPress WordPress>=5.5<5.5.5
WordPress WordPress>=5.6<5.6.4
WordPress WordPress>=5.7<5.7.2
composer/phpmailer/phpmailer>=6.1.8<6.4.1
6.4.1

Remedy

https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2020-36326?

    CVE-2020-36326 is a vulnerability that allows object injection via a local phar file in PHPMailer 6.1.8 through 6.4.0.

  • What is the severity of CVE-2020-36326?

    CVE-2020-36326 has a severity level of 9.8, which is classified as critical.

  • Which software versions are affected by CVE-2020-36326?

    CVE-2020-36326 affects PHPMailer versions 6.1.8 through 6.4.0, as well as certain versions of WordPress.

  • How can I fix CVE-2020-36326?

    To fix CVE-2020-36326, you should update PHPMailer to version 6.4.1. For WordPress, update to the latest version available.

  • Where can I find more information about CVE-2020-36326?

    You can find more information about CVE-2020-36326 in the references provided: [link1](https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1), [link2](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9), [link3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/)

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203