Description
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- none
- Scope
- unchanged
- Confidentiality
- high
- Integrity
- high
- Availability
- high
- Weaknesses
- CWE-502
Metadata
- Primary Vendor
- PHPMAILER_PROJECT
- Published
- 4/28/2021
- Last Modified
- 11/21/2024
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
phpmailer_project : phpmailerwordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpresswordpress : wordpress
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.