CVE-2021-3603

Name of the Vulnerable Software and Affected Versions PHPMailer versions 6.4.1 and earlier

Description The issue is related to the validateAddress function in PHPMailer, which can lead to the execution of untrusted code if such code is injected into the host project's scope by other means. This occurs when the $patternselect parameter is set to 'php' (the default) and a function named php exists in the global namespace, causing it to be called instead of the built-in validator. The problem is associated with the inclusion of functions from an untrusted controlled area.

Recommendations For PHPMailer versions 6.4.1 and earlier, update to PHPMailer 6.5.0 to mitigate the issue, as it denies the use of simple strings as validator function names. As a temporary workaround, consider disabling the validateAddress() function until a patch is available. Restrict access to the global namespace to prevent the injection of malicious functions. Avoid using the php function name in the global namespace to minimize the risk of exploitation.