CVE-2017-5223

Name of the Vulnerable Software and Affected Versions PHPMailer versions prior to 5.2.22

Description An issue in PHPMailer's msgHTML method allows it to apply transformations to an HTML document, making it usable as an email message body. One transformation converts relative image URLs into attachments using a script-provided base directory. If no base directory is provided, relative image URLs are treated as absolute local file paths and added as attachments. This can form a remote vulnerability if the msgHTML method is called with an unfiltered, user-supplied HTML document and no base directory is set. The impact of this issue is that arbitrary local files can be attached to email messages.

Recommendations For versions prior to 5.2.22, update to version 5.2.22 to resolve the issue. As a temporary workaround, consider validating input before using user-supplied file paths to minimize the risk of exploitation.