|
|
|||
| Rule General Information |
|---|
| Release Date: | 2019-01-08 | |
| Rule Name: | Phpmailer Mail Escapeshellarg Command Injection Vulnerability (CVE-2016-10045) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. | |
| Impact: | An attacker can execute arbitrary command via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | FreeBSD, Linux, Windows, Mac OS, Other Unix, Others | |
| Reference: | http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html SecurityFocusBID:95130 SecurityTrackerID:1037533 https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html ExploitDB:40969 ExploitDB:40986 ExploitDB:42221 |
|
| Solutions |
|---|
| More advisories have been published on the website, please visit for more suggestions: https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md |