Source: libphp-phpmailer X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for libphp-phpmailer. CVE-2021-3603[0]: | PHPMailer 6.4.1 and earlier contain a vulnerability that can result in | untrusted code being called (if such code is injected into the host | project's scope by other means). If the $patternselect parameter to | validateAddress() is set to 'php' (the default, defined by | PHPMailer::$validator), and the global namespace contains a function | called php, it will be called in preference to the built-in validator | of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of | simple strings as validator function names. https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/ Patch: https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3 (v6.5.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3603 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3603 Please adjust the affected versions in the BTS as needed.
