CVE-2020-36326
Published: 28 April 2021
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
Notes
Author | Note |
---|---|
ccdm94 | this vulnerability was introduced by commit e2e07a35 (v6.1.8). |
Priority
Status
Package | Release | Status |
---|---|---|
libphp-phpmailer Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Not vulnerable
(code not present)
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Not vulnerable
(6.2.0-2)
|
|
kinetic |
Not vulnerable
(6.6.3-1)
|
|
lunar |
Not vulnerable
(6.6.3-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(6.4.1, 6.2.0-2)
|
|
xenial |
Not vulnerable
(code not present)
|
|
Patches: upstream: https://github.com/PHPMailer/PHPMailer/commit/26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a upstream: https://github.com/PHPMailer/PHPMailer/commit/7f267fb4aadfcf62e3ddc50494c469c6b9c4405a |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |