CVE-2018-19296 – Ubuntu Security Notice USN-5956-2

https://notcve.org/view.php?id=CVE-2018-19296

16 Nov 2018 — PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. PHPMailer en versiones anteriores a la 5.2.27 y versiones 6.x anteriores a la 6.0.6 es vulnerable a un ataque de inyección de objetos. Dawid Golunski discovered that PHPMailer was not properly escaping user input data used as arguments to functions executed by the system shell. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. • https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27 • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •