PHPMailer Flaw

A critical vulnerability has been identified within the popular open source software PHPMailer which is often implemented in websites for sending emails.

Threat ID:: CC-1040
Category:: Exploit
Threat Severity:: Medium
Threat Vector:
Published:: 3 January 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A critical vulnerability has been identified within the popular open source software PHPMailer which is often implemented in websites for sending emails.

Threat details

The vulnerability allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.

To exploit the vulnerability an attacker can target common website components such as contact / feedback forms, registration forms, password resets and others that send out emails with the help of a vulnerable version of the PHPMailer class. Whilst no public exploit exists at the time of writing, a proof of concept has been published which could be used by attackers to develop their own exploits.

Common web server software is vulnerable including WordPress, Drupal, 1CRM, SugarCRM Yii and Joomla as they all use the PHPMailer library for sending emails using a variety of methods to their users.

For further information please see CVE-2016-10033 and CVE-2016-10045.

Remediation steps

Type	Step
	The PHPMailer library should be upgraded to version 5.2.20 and web servers should be upgraded to the latest versions as soon as patches are available from the developers

CVE Vulnerabilities

Status

CVE-2016-10033

Status

CVE-2016-10045

Last edited: 17 February 2020 11:37 am