Dangerous input validation and code injection vulnerabilities in PHPMailer. Patch now

Cybersecurity specialists reported the detection of at least two security vulnerabilities in PHPMailer, the popular code library to send emails securely via PHP code from a web server. According to the report, successful exploitation of these flaws would allow the deployment of remote code execution attacks.

Down below are brief descriptions of the reported flaws, in addition to their respective tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-34551: This vulnerability exists due to the improper validation of user-supplied input within the setLanguage() method when the $lang_path parameter on a Windows system is being processed. Remote threat actors can pass specially crafted input to the application, set a UNC path via the affected parameter and run arbitrary PHP code on the affected system.

The vulnerability received a CVSS score of 7.1/10 and its successful exploitation allows malicious actors to fully compromise the target system, cybersecurity experts mentioned.

CVE-2021-3603: On the other hand, this flaw exists due to improper input validation on the affected solution. If the $patternselect parameter to validateAddress() is set to ‘php’ (the default setting defined by PHPMailer::$validator), and the global namespace contains the php function, it will be called in preference to the built-in validator of the same name. 

Remote attackers can send a specially crafted request and execute arbitrary code on the compromised system.

The vulnerability got an 8.1/10 CVSS score and its exploitation would allow remote threat actors to take control over the affected implementations.

Both security flaws reside in the following versions of PHPMailer: 2.0.3, 2.2.1, 2.3.0, 5.0.0, 5.0.2, 5.1.0, 5.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.16, 5.2.17, 5.2.18, 5.2.19, 5.2.20, 5.2.21, 5.2.22, 5.2.23, 5.2.24, 5.2.25, 5.2.26, 5.2.27, 5.2.28, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.2.0, 6.3.0, 6.4.0 & 6.4.1.

Reported flaws can be remotely exploited by unauthenticated threat actors. However, cybersecurity experts have not reported the detection of active exploitation attempts or the presence of a variant of malware associated with this flaw. Security patches to address these flaws are now available, so users of affected deployments are encouraged to update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.