|
|
|||
| Rule General Information |
|---|
| Release Date: | 2020-09-04 | |
| Rule Name: | PHPMailer mail escapeshellarg Command Injection Vulnerability (CVE-2016-10045) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. | |
| Impact: | An attacker can execute arbitrary command via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | Windows, Others | |
| Reference: | SecurityFocusBID:95130 ExploitDB:40969 ExploitDB:42221 http://openwall.com/lists/oss-security/2016/12/28/1 |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20 |