PHPMailer is a popular open-source library used for sending emails in PHP applications. This vulnerability allows attackers to inject malicious code into email bodies, potentially leading to cross-site scripting (XSS) attacks or even remote code execution.
You're affected if you use PHPMailer version 5.2.0 through 5.6.20. Check with: grep -r "PHPMailer" vendor/phpmailer/phpmailer.php in your project's root directory.
Note: This vulnerability is similar to CVE-2011-4019, which affects PHPMailer versions prior to 5.2.0 and later versions 6.x. However, the fix for this specific vulnerability only applies to version 5.6.20 and earlier.
To fix this vulnerability, upgrade to PHPMailer version 5.6.21 or later. You can download the latest version from the official GitHub repository: https://github.com/PHPMailer/PHPMailer
Immediate mitigations: