{"id":"GHSA-4pc3-96mx-wwc8","summary":"Remote code execution in PHPMailer","details":"### Impact\nThe `isMail` transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the `mail` command and consequently execute arbitrary code by leveraging improper interaction between the `escapeshellarg` function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.\n\nThis issue really emphasises that it's worth avoiding the built-in PHP `mail()` function entirely.\n\n### Patches\nFixed in 5.2.20\n\n### Workarounds\nSend via SMTP to localhost instead of calling the `mail()` function.\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-10045\nSee also https://nvd.nist.gov/vuln/detail/CVE-2016-10033\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)","aliases":["CVE-2016-10045"],"modified":"2025-04-14T22:27:44.787084Z","published":"2020-03-05T22:09:14Z","database_specific":{"nvd_published_at":"2016-12-30T19:59:00Z","github_reviewed":true,"cwe_ids":["CWE-77"],"github_reviewed_at":"2020-03-05T22:06:01Z","severity":"CRITICAL"},"references":[{"type":"WEB","url":"https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-4pc3-96mx-wwc8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10045"},{"type":"WEB","url":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"},{"type":"WEB","url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2016-10045.yaml"},{"type":"PACKAGE","url":"https://github.com/PHPMailer/PHPMailer"},{"type":"WEB","url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20"},{"type":"WEB","url":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"},{"type":"WEB","url":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/40969"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/40986"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/42221"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2016/12/28/1"},{"type":"WEB","url":"http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html"},{"type":"WEB","url":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2016/Dec/81"},{"type":"WEB","url":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"}],"affected":[{"package":{"name":"phpmailer/phpmailer","ecosystem":"Packagist","purl":"pkg:composer/phpmailer/phpmailer"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.0.0"},{"fixed":"5.2.20"}]}],"versions":["v5.2.10","v5.2.11","v5.2.12","v5.2.13","v5.2.14","v5.2.15","v5.2.16","v5.2.17","v5.2.18","v5.2.19","v5.2.2","v5.2.4","v5.2.5","v5.2.6","v5.2.7","v5.2.8","v5.2.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4pc3-96mx-wwc8/GHSA-4pc3-96mx-wwc8.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}