CVE-2021-3603 (High) detected in phpmailer/phpmailer-v6.1.6 #462
Description
CVE-2021-3603 - High Severity Vulnerability
Vulnerable Library - phpmailer/phpmailer-v6.1.6
PHPMailer is a full-featured email creation and transfer class for PHP
Library home page: https://api.github.com/repos/PHPMailer/PHPMailer/zipball/c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3
Dependency Hierarchy:
- ❌ phpmailer/phpmailer-v6.1.6 (Vulnerable Library)
Found in HEAD commit: a406daa2556a3c26adaf9e56b6a36f57a1324755
Found in base branch: master
Vulnerability Details
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
Publish Date: 2021-06-17
URL: CVE-2021-3603
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3603
Release Date: 2021-06-17
Fix Resolution: v6.5.0
Step up your Open Source Security Game with WhiteSource here