Headline
GHSA-398j-f7m7-795j: PHPMailer vulnerable to email header injection
Impact
Arbitrary additional email headers can be injected via crafted From or Sender headers.
Patches
Fixed in 2.2.1
Workarounds
Filter user-supplied values prior to using them in From or Sender properties.
References
https://nvd.nist.gov/vuln/detail/CVE-2012-0796
For more information
If you have any questions or comments about this advisory:
- Open a private issue in the PHPMailer project
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2012-0796
PHPMailer vulnerable to email header injection
High severity GitHub Reviewed Published Oct 6, 2022 in PHPMailer/PHPMailer • Updated Oct 6, 2022
Vulnerability details Dependabot alerts 0
Package
composer phpmailer/phpmailer (Composer)
Affected versions
< 2.2.1
Patched versions
2.2.1
Description
Impact
Arbitrary additional email headers can be injected via crafted From or Sender headers.
Patches
Fixed in 2.2.1
Workarounds
Filter user-supplied values prior to using them in From or Sender properties.
References
https://nvd.nist.gov/vuln/detail/CVE-2012-0796
For more information
If you have any questions or comments about this advisory:
- Open a private issue in the PHPMailer project
References
- GHSA-398j-f7m7-795j
Synchro published the maintainer security advisory
Mar 5, 2020
Severity
High
Weaknesses
CWE-94
CVE ID
CVE-2012-0796
GHSA ID
GHSA-398j-f7m7-795j
Source code
PHPMailer/PHPMailer
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header.