CVE-2018-19296

Name of the Vulnerable Software and Affected Versions PHPMailer versions prior to 5.2.27 PHPMailer versions 6.x prior to 6.0.6

Description The issue is related to insufficient input validation in the PHPMailer library, allowing a remote attacker to perform an object injection attack. This could potentially lead to remote code execution. The vulnerability can be exploited by passing phar:// paths into functions like addAttachment(), which may receive unfiltered local paths. It is reported that the estimated number of potentially affected devices is not provided.

Recommendations For PHPMailer versions prior to 5.2.27, update to version 5.2.27 or later. For PHPMailer versions 6.x prior to 6.0.6, update to version 6.0.6 or later. As a temporary workaround, consider validating and sanitizing user input before using it, and block the use of paths containing URL-protocol style prefixes such as phar://.