phpmailer vulnerabilities and exploits

6.8
CVSSv2
CVE-2018-19296

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack....

Phpmailer ProjectPhpmailerDebianDebian Linux
5
CVSSv2
CVE-2018-7662

Couch through 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php....

CouchcmsCouch
4.3
CVSSv2
CVE-2017-11503

PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php....

Phpmailer ProjectPhpmailer
5
CVSSv2
CVE-2017-7983

In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail headers....

9
CVSSv2
CVE-2017-7692

SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote...

Squirrelmail
2.1
CVSSv2
CVE-2017-5223

An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base...

Phpmailer ProjectPhpmailer
NA
CVE-2016-1003

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-10033. Reason: This candidate is a duplicate of CVE-2016-10033. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2016-10033 instead of this candidate. All references and...

NA
CVE-2016-1004

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none....

NA
CVE-2016-100332

PHPMailer versions prior to 5.2.18 remote code execution exploit. Written in python....

7.5
CVSSv2
CVE-2016-10034

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a...

ZendZend-mailZend Framework