Skip to content

PHPMailer vulnerable to email header injection

High severity GitHub Reviewed Published Mar 5, 2020 in PHPMailer/PHPMailer • Updated Oct 25, 2023

Package

composer phpmailer/phpmailer (Composer)

Affected versions

< 2.2.1

Patched versions

2.2.1

Description

Impact

Arbitrary additional email headers can be injected via crafted From or Sender headers.

Patches

Fixed in 2.2.1

Workarounds

Filter user-supplied values prior to using them in From or Sender properties.

References

https://nvd.nist.gov/vuln/detail/CVE-2012-0796

For more information

If you have any questions or comments about this advisory:

References

Published by the National Vulnerability Database Jul 17, 2012
@Synchro Synchro published to PHPMailer/PHPMailer Mar 5, 2020
Published to the GitHub Advisory Database Oct 6, 2022
Reviewed Oct 6, 2022
Last updated Oct 25, 2023

Severity

High

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(59th percentile)

Weaknesses

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.

CVE ID

CVE-2012-0796

GHSA ID

GHSA-398j-f7m7-795j

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.