CVE-2021-3603 HIGH

CVE-2021-3603: Inclusion of Functionality from Untrusted Control Sphere in PHPMailer/PHPMailer

Vendor Phpmailer
Product PHPMailer
Weakness CWE-829 · Inclusion from untrusted sphere
Published June 17, 2021
Last update August 3, 2024

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.

Key dates

02Disclosure timeline

June 17, 2021 CVE published
August 3, 2024 Record updated