CVE-2017-4119 (Unpatched PHPMailer Vulnerability)

UNKNOWN No Patch (2837 days)
email-libraryphpphpmailerremote-command-executionxss

Threat Intelligence

Low Risk
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

PHPMailer is a popular open-source library used for sending emails in PHP applications. This vulnerability allows attackers to inject malicious code into email bodies, potentially leading to cross-site scripting (XSS) attacks or even remote command execution.

Am I affected?

You're affected if you use PHPMailer version 5.4.0 through 5.6.7.
Check with: find / -name "phpmailer/PHPMailer.php" 2>/dev/null

Note: This vulnerability is similar to CVE-2019-2523, which affects PHPMailer versions 5.8.0 and later.

Affected Packages

pypi: phpmailer/phpmailer

Affected Products

PHPMailer Project / PHPMailer

How to fix

  1. Upgrade to PHPMailer version 5.7.4 or later from the official GitHub repository: https://github.com/PHPMailer/PHPMailer/releases/tag/5.7.4
  2. If upgrade isn't possible, consider using an alternative email library like SwiftMailer.