Описание
PHPMailer vulnerable to email header injection
Impact
Arbitrary additional email headers can be injected via crafted From or Sender headers.
Patches
Fixed in 2.2.1
Workarounds
Filter user-supplied values prior to using them in From or Sender properties.
References
https://nvd.nist.gov/vuln/detail/CVE-2012-0796
For more information
If you have any questions or comments about this advisory:
- Open a private issue in the PHPMailer project
Ссылки
- https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-398j-f7m7-795j
- https://nvd.nist.gov/vuln/detail/CVE-2012-0796
- https://bugzilla.redhat.com/show_bug.cgi?id=783532
- https://git.moodle.org/gw?p=moodle.git&a=commit&h=62988bf0bbc73df655f51884aaf1f523928abff9
- http://moodle.org/mod/forum/discuss.php?d=194015
- http://www.debian.org/security/2012/dsa-2421
Пакеты
phpmailer/phpmailer
< 2.2.1
2.2.1
Связанные уязвимости
class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header.
class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header.
class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x ...