Vulnerabilities > Phpmailer Project

DATE CVE VULNERABILITY TITLE RISK
2021-06-17 CVE-2021-3603 Inclusion of Functionality from Untrusted Control Sphere vulnerability in multiple products
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means).
network
high complexity
phpmailer-project fedoraproject CWE-829
8.1
2021-06-16 CVE-2021-34551 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.
network
high complexity
phpmailer-project fedoraproject CWE-434
8.1
2021-04-28 CVE-2020-36326 Deserialization of Untrusted Data vulnerability in multiple products
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.
network
low complexity
phpmailer-project wordpress CWE-502
critical
9.8
2020-06-08 CVE-2020-13625 Improper Encoding or Escaping of Output vulnerability in multiple products
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character.
7.5
2018-11-16 CVE-2018-19296 PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. 8.8
2017-07-20 CVE-2017-11503 Cross-site Scripting vulnerability in PHPmailer Project PHPmailer 5.2.23
PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.
network
low complexity
phpmailer-project CWE-79
6.1
2017-01-16 CVE-2017-5223 Information Exposure vulnerability in PHPmailer Project PHPmailer
An issue was discovered in PHPMailer before 5.2.22.
local
low complexity
phpmailer-project CWE-200
5.5
2016-12-30 CVE-2016-10045 Command Injection vulnerability in multiple products
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP.
network
low complexity
phpmailer-project wordpress joomla CWE-77
critical
9.8
2016-12-30 CVE-2016-10033 Argument Injection or Modification vulnerability in multiple products
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
network
low complexity
phpmailer-project wordpress joomla CWE-88
critical
9.8