CVE-2018-19296

Published: Nov 16, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

Affected (7)

Products: Phpmailer Project: Phpmailer · Debian: Debian Linux · Fedoraproject: Fedora · +1 more

Show all products

Phpmailer Project: Phpmailer · Debian: Debian Linux · Fedoraproject: Fedora · Wordpress: Wordpress

Phpmailer Project

1 product

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Phpmailer Project Phpmailer	Before 5.2.27
Phpmailer Project Phpmailer	From 6.0.0 to 6.0.6

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Wordpress Wordpress	From 3.7 to 5.7

Related CWEs

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (12)

https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6

Source: cve@mitre.org

Release NotesVendor Advisory

https://lists.debian.org/debian-lts-announce/2018/12/msg00020.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/

Source: cve@mitre.org

https://www.debian.org/security/2018/dsa-4351

Source: cve@mitre.org

Third Party Advisory

https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://lists.debian.org/debian-lts-announce/2018/12/msg00020.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.debian.org/security/2018/dsa-4351

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.