Forums | Mahara Community
Security issue relating to a remote code execution vulnerability in PHPMailer <15.04.11, <15.10.7, <16.04.5, <16.10.2
29 December 2016, 23:39
From PHPMailer: All addresses used by PHPMailer are validated before being used, however, it's possible to construct a valid email address that also constitutes an executable command when passed to the shell via mail().
Category: Remote code execution
Versions affected: <15.04.11, <15.10.7, <16.04.5, <16.10.2
Reported to Mahara: Yuliya Bozhko
Reported to PHPMailer: Dawid Golunski and Paul Buonopane (@Zenexer)
CVE numbers: CVE-2016-10033 and CVE-2016-10045 (PHPMailer)
Bug report: https://bugs.launchpad.net/mahara/+bug/1652995
Further information is available from Legal Hackers and PHPMailer.