A(n) (couple of) exploit(s) have been discovered in PHPmailer.
Initial report which is patched: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
New CVE since initial patch is still vulnerable: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
Explaination for dummies: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/
Do we need to patch/update phpmailer on v7 and v9?
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Please read and comply with the Code of Conduct
We might also release an update for 7 on this. Let´s give em some time to see if they have any issues with the patch first.
For general knowledge, the vulnerability is critical but also conditional,
The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code
You can view all discussion threads in this forum. You cannot set up a bounty in this discussion thread. You can start a new discussion thread in this forum. You cannot reply in this discussion thread. You cannot start on a poll in this forum. You cannot upload attachments in this forum. You can download attachments in this forum. You cannot up or down-vote on the post in this discussion thread.