CVE-2017-5223

PHPMailer < 5.2.21 - Local File Disclosure

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an unfiltered, user-supplied HTML document, and must not set a base directory.

Se ha descubierto un problema en PHPMailer en versiones anteriores a 5.2.22. El método msgHTML de PHPMailer aplica transformaciones a un documento HTML para hacerlo utilizable como un cuerpo de mail. Una de las transformaciones es convertir URLs de imágenes relativas en adjuntos utilizando un directorio base proporcionado por script. Si no se proporciona ningún directorio base, se resuelve en /, lo que significa que las URLs de imágenes relativas se tratan como rutas de archivo locales absolutas y se añaden como adjuntos. Para formar una vulnerabilidad remota, el método msgHTML debe ser llamado, pasado a un documento HTML suministrado por el usuario no filtrado y no debe establecer un directorio base.

Dawid Golunski discovered that PHPMailer was not properly escaping user input data used as arguments to functions executed by the system shell. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. It was discovered that PHPMailer was not properly escaping characters in certain fields of the code_generator.php example code. An attacker could possibly use this issue to conduct cross-site scripting attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-01-09 CVE Reserved
2017-01-16 CVE Published
2017-10-26 First Exploit
2024-08-05 CVE Updated
2025-04-01 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (6)

URL	Tag	Source
http://www.securityfocus.com/bid/95328	Third Party Advisory

URL	Date	SRC
https://packetstorm.news/files/id/144768	2017-10-26
https://www.exploit-db.com/exploits/43056	2024-08-05
https://github.com/cscli/CVE-2017-5223	2018-09-26
http://kalilinux.co/2017/01/12/phpmailer-cve-2017-5223-local-information-disclosure-vulnerability-analysis	2024-08-05

URL	Date	SRC
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md	2017-10-28

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Phpmailer Project Search vendor "Phpmailer Project"		Phpmailer Search vendor "Phpmailer Project" for product "Phpmailer"				<= 5.2.21 Search vendor "Phpmailer Project" for product "Phpmailer" and version " <= 5.2.21"		-		Affected