You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Arbitrary local file inclusion via the $lang property, remotely exploitable if host application passes unfiltered user data into that property. The 3 CVEs listed are applications that used PHPMailer that were vulnerable to this problem.
Patches
It's not known exactly when this was fixed in the host applications, but it was fixed in PHPMailer 5.2.0.
Workarounds
Filter and validate user-supplied data before use.
Impact
Arbitrary local file inclusion via the
$langproperty, remotely exploitable if host application passes unfiltered user data into that property. The 3 CVEs listed are applications that used PHPMailer that were vulnerable to this problem.Patches
It's not known exactly when this was fixed in the host applications, but it was fixed in PHPMailer 5.2.0.
Workarounds
Filter and validate user-supplied data before use.
References
https://nvd.nist.gov/vuln/detail/CVE-2006-5734
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
https://nvd.nist.gov/vuln/detail/CVE-2007-2021
Example exploit: https://www.exploit-db.com/exploits/14893
For more information
If you have any questions or comments about this advisory: