GHSA-398J-F7M7-795J
Vulnerability from github – Published: 2022-10-06 21:25 – Updated: 2023-02-15 19:34
VLAI
Summary
PHPMailer vulnerable to email header injection
Details
Impact
Arbitrary additional email headers can be injected via crafted From or Sender headers.
Patches
Fixed in 2.2.1
Workarounds
Filter user-supplied values prior to using them in From or Sender properties.
References
https://nvd.nist.gov/vuln/detail/CVE-2012-0796
For more information
If you have any questions or comments about this advisory: * Open a private issue in the PHPMailer project
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpmailer/phpmailer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-0796"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-06T21:25:46Z",
"nvd_published_at": "2012-07-17T10:20:00Z",
"severity": "HIGH"
},
"details": "### Impact\nArbitrary additional email headers can be injected via crafted From or Sender headers.\n\n### Patches\nFixed in 2.2.1\n\n### Workarounds\nFilter user-supplied values prior to using them in From or Sender properties.\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-0796\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)",
"id": "GHSA-398j-f7m7-795j",
"modified": "2023-02-15T19:34:00Z",
"published": "2022-10-06T21:25:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-398j-f7m7-795j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0796"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=783532"
},
{
"type": "WEB",
"url": "https://git.moodle.org/gw?p=moodle.git\u0026a=commit\u0026h=62988bf0bbc73df655f51884aaf1f523928abff9"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPMailer/PHPMailer"
},
{
"type": "WEB",
"url": "http://moodle.org/mod/forum/discuss.php?d=194015"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2421"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "PHPMailer vulnerable to email header injection"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…