PHPMailer is a popular open-source library used for sending emails in PHP applications. This vulnerability allows attackers to inject malicious code into email bodies, potentially leading to cross-site scripting (XSS) attacks or even remote code execution.
You're affected if you use PHPMailer version 5.2.0 or earlier. Check with: find / -name "phpmailer/PHPMailer.php" 2>/dev/null
Note: This vulnerability is similar to CVE-2019-2521, which affects PHPMailer versions 5.8.0 and later. If you're using a version of PHPMailer that's not listed here, it may still be vulnerable.
To fix this issue:
1. Upgrade to PHPMailer version 5.2.3 or later.
2. Alternatively, apply the patch available on the PHPMailer GitHub page: https://github.com/PHPMailer/PHPMailer/blob/master/README.md#security