Forums | Mahara Community

Security Announcements /
Security issue relating to a remote code execution vulnerability in PHPMailer <15.04.11, <15.10.7, <16.04.5, <16.10.2


Kristina Hoeppner's profile picture
Posts: 3366

29 December 2016, 11:39 PM

From PHPMailer: All addresses used by PHPMailer are validated before being used, however, it's possible to construct a valid email address that also constitutes an executable command when passed to the shell via mail().

Category: Remote code execution
Severity: High
Versions affected: <15.04.11, <15.10.7, <16.04.5, <16.10.2
Reported to Mahara: Yuliya Bozhko
Reported to PHPMailer: Dawid Golunski and Paul Buonopane (@Zenexer)
CVE numbers: CVE-2016-10033 and CVE-2016-10045 (PHPMailer)
Bug report: https://bugs.launchpad.net/mahara/+bug/1652995

Further information is available from Legal Hackers and PHPMailer.

1 result