// For flags

CVE-2016-10045

PHPMailer Sendmail Argument Injection

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

9
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

El transporte isMail en PHPMailer en versiones anteriores a 5.2.20 podrían permitir a atacantes remotos pasar parámetros extra al comando de correo y consecuentemente ejecutar código arbitrario aprovechando una interacción inapropiada entre la función escapeshellarg y un escape interno realizado en la función mail en PHP. NOTA: esta vulnerabilidad existe debido a una incorrecta reparación de CVE-2016-10033.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-12-26 CVE Reserved
  • 2016-12-26 First Exploit
  • 2016-12-28 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-09-19 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (18)
URL Tag Source
http://www.securityfocus.com/archive/1/539967/100/0/threaded Mailing List
http://www.securitytracker.com/id/1037533 Third Party Advisory
https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html Third Party Advisory
https://github.com/opsxcq/exploit-CVE-2016-10033
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
URL Date SRC
https://www.exploit-db.com/exploits/42221 2024-08-06
https://www.exploit-db.com/exploits/40969 2024-08-06
https://www.exploit-db.com/exploits/40986 2024-08-06
http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html 2024-08-06
http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html 2024-08-06
http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection 2024-08-06
http://www.securityfocus.com/bid/95130 2024-08-06
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html 2024-08-06
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/phpmailer_arg_injection.rb 2016-12-26
URL Date SRC
http://openwall.com/lists/oss-security/2016/12/28/1 2021-09-30
http://seclists.org/fulldisclosure/2016/Dec/81 2021-09-30
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20 2021-09-30
https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities 2021-09-30
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Phpmailer Project
Search vendor "Phpmailer Project"
 Phpmailer
Search vendor "Phpmailer Project" for product "Phpmailer"
 < 5.2.20
Search vendor "Phpmailer Project" for product "Phpmailer" and version " < 5.2.20"
-
Affected
Wordpress
Search vendor "Wordpress"
 Wordpress
Search vendor "Wordpress" for product "Wordpress"
 <= 4.7
Search vendor "Wordpress" for product "Wordpress" and version " <= 4.7"
-
Affected
Joomla
Search vendor "Joomla"
 Joomla\!
Search vendor "Joomla" for product "Joomla\!"
 >= 1.5.0 <= 3.6.5
Search vendor "Joomla" for product "Joomla\!" and version " >= 1.5.0 <= 3.6.5"
-
Affected