CVE-2008-5619 — PHPMailer susceptible to arbitrary code execution

Description

html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.

How to fix CVE-2008-5619

To remediate CVE-2008-5619, upgrade the affected package to a fixed version below.

Debian/roundcube—upgrade to 0.1.1-9 or later
Packagist/phpmailer/phpmailer—upgrade to 5.2.10 or later

Is CVE-2008-5619 being exploited?

Likely — EPSS is 77.7%, placing CVE-2008-5619 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 0.1.1-9
from 0, < 5.2.10

References (14)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-5619
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2008-5619
WEBmahara.org/interaction/forum/topic.php?id=533
WEBosvdb.org/53893
WEBgithub.com/PHPMailer/PHPMailer