is a web application for booking meeting rooms or other resources (using PHP and MySQL/pgsql).
| SECURITY.md (mrbs-1.9.4) | : | SECURITY.md (mrbs-1.10.0) |
|---|
| # Security notices relating to PHPMailer | | # Security notices relating to PHPMailer |
| | |
| Please disclose any security issues or vulnerabilities found through [Tidelift's
coordinated disclosure system](https://tidelift.com/security) or to the maintai
ners privately. | | Please disclose any security issues or vulnerabilities found through [Tidelift's
coordinated disclosure system](https://tidelift.com/security) or to the maintai
ners privately. |
| | |
|
| | PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted |
| | code being called (if such code is injected into the host project's scope by ot |
| | her means). If the `$patternselect` parameter to `validateAddress()` is set to ` |
| | 'php'` (the default, defined by `PHPMailer::$validator`), and the global namespa |
| | ce contains a function called `php`, it will be called in preference to the buil |
| | t-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use |
| | of simple strings as validator function names. Recorded as [CVE-2021-3603](http |
| | s://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603). Reported by [Vikran |
| | t Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/ |
| | ). |
| | |
| | PHPMailer versions 6.4.1 and earlier contain a possible remote code execution vu |
| | lnerability through the `$lang_path` parameter of the `setLanguage()` method. If |
| | the `$lang_path` parameter is passed unfiltered from user input, it can be set |
| | to [a UNC path](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-fo |
| | rmats#unc-paths), and if an attacker is also able to persuade the server to load |
| | a file from that UNC path, a script file under their control may be executed. T |
| | his vulnerability only applies to systems that resolve UNC paths, typically only |
| | Microsoft Windows. |
| | PHPMailer 6.5.0 mitigates this by no longer treating translation files as PHP co |
| | de, but by parsing their text content directly. This approach avoids the possibi |
| | lity of executing unknown code while retaining backward compatibility. This isn' |
| | t ideal, so the current translation format is deprecated and will be replaced in |
| | the next major release. Recorded as [CVE-2021-34551](https://web.nvd.nist.gov/v |
| | iew/vuln/detail?vulnId=CVE-2021-34551). Reported by [Jilin Diting Information Te |
| | chnology Co., Ltd](https://listensec.com) via Tidelift. |
| | |
| PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier C
VE-2018-19296 object injection vulnerability as a result of [a fix for Windows U
NC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff3
6aba21d0242c5950c56e4c6f9). Recorded as [CVE-2020-36326](https://web.nvd.nist.go
v/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi Vidyan via Tidel
ift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes i
n local path contexts. | | PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier C
VE-2018-19296 object injection vulnerability as a result of [a fix for Windows U
NC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff3
6aba21d0242c5950c56e4c6f9). Recorded as [CVE-2020-36326](https://web.nvd.nist.go
v/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi Vidyan via Tidel
ift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes i
n local path contexts. |
| | |
| PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs
in `Content-Type` and `Content-Disposition` when filenames passed into `addAttac
hment` and other methods that accept attachment names contain double quote chara
cters, in contravention of RFC822 3.4.1. No specific vulnerability has been foun
d relating to this, but it could allow file attachments to bypass attachment fil
ters that are based on matching filename extensions. Recorded as [CVE-2020-13625
](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by
Elar Lang of Clarified Security. | | PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs
in `Content-Type` and `Content-Disposition` when filenames passed into `addAttac
hment` and other methods that accept attachment names contain double quote chara
cters, in contravention of RFC822 3.4.1. No specific vulnerability has been foun
d relating to this, but it could allow file attachments to bypass attachment fil
ters that are based on matching filename extensions. Recorded as [CVE-2020-13625
](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by
Elar Lang of Clarified Security. |
| | |
| PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injecti
on attack by passing `phar://` paths into `addAttachment()` and other functions
that may receive unfiltered local paths, possibly leading to RCE. Recorded as [C
VE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296).
See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitatio
n) for more info on this type of vulnerability. Mitigated by blocking the use of
paths containing URL-protocol style prefixes such as `phar://`. Reported by Seh
un Oh of cyberone.kr. | | PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injecti
on attack by passing `phar://` paths into `addAttachment()` and other functions
that may receive unfiltered local paths, possibly leading to RCE. Recorded as [C
VE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296).
See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitatio
n) for more info on this type of vulnerability. Mitigated by blocking the use of
paths containing URL-protocol style prefixes such as `phar://`. Reported by Seh
un Oh of cyberone.kr. |
| | |
| PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnera
bility in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/vi
ew/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not
filter user input prior to output. This file is distributed with a `.phps` exte
nsion, so it it not normally executable unless it is explicitly renamed, and the
file is not included when PHPMailer is loaded through composer, so it is safe b
y default. There was also an undisclosed potential XSS vulnerability in the defa
ult exception handler (unused by default). Patches for both issues kindly provid
ed by Patrick Monnerat of the Fedora Project. | | PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnera
bility in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/vi
ew/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not
filter user input prior to output. This file is distributed with a `.phps` exte
nsion, so it it not normally executable unless it is explicitly renamed, and the
file is not included when PHPMailer is loaded through composer, so it is safe b
y default. There was also an undisclosed potential XSS vulnerability in the defa
ult exception handler (unused by default). Patches for both issues kindly provid
ed by Patrick Monnerat of the Fedora Project. |
| | |
| PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file
disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/de
tail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from u
nfiltered user input, relative paths can map to absolute local file paths and ad
ded as attachments. Also note that `addAttachment` (just like `file_get_contents
`, `passthru`, `unlink`, etc) should not be passed user-sourced params either! R
eported by Yongxiang Li of Asiasecurity. | | PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file
disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/de
tail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from u
nfiltered user input, relative paths can map to absolute local file paths and ad
ded as attachments. Also note that `addAttachment` (just like `file_get_contents
`, `passthru`, `unlink`, etc) should not be passed user-sourced params either! R
eported by Yongxiang Li of Asiasecurity. |
| | |
| | | |
| End of changes. 1 change blocks. |
|---|
| 0 lines changed or deleted | | 27 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 