First published: Wed Jun 16 2021(Updated: )
If a function is defined that has the same name as the default built-in email address validation scheme (`php`), it will be called in default configuration as when no validation scheme is provided, the default scheme's callable `php` was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling `validateAddress()`. ### Impact Low impact – exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway. ### Patches This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break. ### Workarounds Inject your own email validator function. ### References Reported by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/). [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603) ### For more information If you have any questions or comments about this advisory: * Open an issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer) * [Email us](mailto:phpmailer@synchromedia.co.uk).
Credit: security@huntr.dev security@huntr.dev
Affected Software | Affected Version | How to fix |
---|---|---|
composer/phpmailer/phpmailer | <6.5.0 | 6.5.0 |
Phpmailer Project Phpmailer | <=6.4.1 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
composer/phpmailer/phpmailer | <6.5.0 | 6.5.0 |
debian/libphp-phpmailer | <=6.2.0-2 | 6.6.3-1 6.9.1-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3603 is a vulnerability that allows untrusted code to be run from an overridden address validator.
The software affected by CVE-2021-3603 is phpmailer version up to and excluding 6.5.0.
To fix CVE-2021-3603, update phpmailer to version 6.5.0 or higher.
More information about CVE-2021-3603 can be found at the following link: https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0