CyberSec.Space Logo
Back to CVE Browser

CVE-2018-19296

HIGH
8.8
CVSS Severity Score
EPSS Score0.1180%
EPSS Percentile28.81th
PublishedNov 16, 2018
Last ModifiedNov 21, 2024

Vulnerability Description

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

Affected Platforms (CPE)

πŸ“¦
Phpmailer Project

Phpmailer

< 5.2.27
πŸ“¦
Phpmailer Project

Phpmailer

>= 6.0.0 and < 6.0.6
πŸ’»
Debian

Debian Linux

= 8.0
πŸ’»
Debian

Debian Linux

= 9.0
πŸ’»
Fedoraproject

Fedora

= 33
πŸ’»
Fedoraproject

Fedora

= 34
πŸ“¦
Wordpress

Wordpress

>= 3.7 and <= 5.7

References & Advisories

πŸ”— https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27
πŸ”— https://github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6
πŸ”— https://lists.debian.org/debian-lts-announce/2018/12/msg00020.html
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
πŸ”— https://www.debian.org/security/2018/dsa-4351
πŸ”— https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27
πŸ”— https://github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6

Related Vulnerabilities

CVE-2008-561910.0

html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alp...

CVE-2016-100339.8

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to ...

CVE-2020-363269.8

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: th...

CVE-2016-100459.8

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and cons...