PHPMailer is a popular open-source library used for sending emails in PHP applications. This vulnerability allows attackers to inject malicious code into email bodies, potentially leading to cross-site scripting (XSS) attacks or even remote command execution.
You're affected if you use PHPMailer versions 5.2.0 through 5.6.20.
Check with: find / -name "phpmailer/PHPMailer.php" 2>/dev/null
Note: This vulnerability is similar to CVE-2011-1337, which affects older versions of PHPMailer. However, this specific CVE only applies to the mentioned version range.
Upgrade to PHPMailer version 5.6.21 or later.
- For immediate mitigation:
- Set allow_url_fopen to Off in your PHP configuration (php.ini).
- Use a secure email library like SwiftMailer instead of PHPMailer.