Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-398j-f7m7-795j: PHPMailer vulnerable to email header injection

Impact

Arbitrary additional email headers can be injected via crafted From or Sender headers.

Patches

Fixed in 2.2.1

Workarounds

Filter user-supplied values prior to using them in From or Sender properties.

References

https://nvd.nist.gov/vuln/detail/CVE-2012-0796

For more information

If you have any questions or comments about this advisory:

ghsa
#vulnerability#git#php
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2012-0796

PHPMailer vulnerable to email header injection

High severity GitHub Reviewed Published Oct 6, 2022 in PHPMailer/PHPMailer • Updated Oct 6, 2022

Vulnerability details Dependabot alerts 0

Package

composer phpmailer/phpmailer (Composer)

Affected versions

< 2.2.1

Patched versions

2.2.1

Description

Impact

Arbitrary additional email headers can be injected via crafted From or Sender headers.

Patches

Fixed in 2.2.1

Workarounds

Filter user-supplied values prior to using them in From or Sender properties.

References

https://nvd.nist.gov/vuln/detail/CVE-2012-0796

For more information

If you have any questions or comments about this advisory:

  • Open a private issue in the PHPMailer project

References

  • GHSA-398j-f7m7-795j

Synchro published the maintainer security advisory

Mar 5, 2020

Severity

High

Weaknesses

CWE-94

CVE ID

CVE-2012-0796

GHSA ID

GHSA-398j-f7m7-795j

Source code

PHPMailer/PHPMailer

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

CVE-2012-0796

class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header.