PHPMailer is a popular open-source library used for sending emails in PHP applications. This vulnerability allows attackers to inject malicious code into email messages, potentially leading to cross-site scripting (XSS) attacks or even remote code execution.
You're affected if you use PHPMailer version 5.2.0 through 5.3.1. Check with: find / -name "phpmailer/PHPMailer.php" 2>/dev/null
Note: This is a niche software, and it's recommended to check with your PHP version and other dependencies to ensure no similar vulnerabilities are present.
Upgrade to PHPMailer version 5.3.2 or later.
- For immediate mitigation:
- Use a secure email library like SwiftMailer or Mailgun.
- Set the header_prepend option to false in your PHPMailer configuration (e.g., PHPMailer::HEADER_PREPEND = false;)