CVE-2021-3603

HIGH8.1EPSS 0.78%

PHPMailer untrusted code may be run from an overridden address validator

Published: 6/22/2021Modified: 2/17/2024
Also known as:GHSA-77mr-wc79-m8j3BIT-phpmailer-2021-3603

Description

If a function is defined that has the same name as the default built-in email address validation scheme (`php`), it will be called in default configuration as when no validation scheme is provided, the default scheme's callable `php` was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling `validateAddress()`. ### Impact Low impact – exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway. ### Patches This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break. ### Workarounds Inject your own email validator function. ### References Reported by [Vikrant Singh Chauhan](mailto:[email protected]) via [huntr.dev](https://www.huntr.dev/). [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603) ### For more information If you have any questions or comments about this advisory: * Open an issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer) * [Email us](mailto:[email protected]).

Affected packages (3)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (14)