GSD-2016-10045
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2016-10045",
"description": "The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.",
"id": "GSD-2016-10045",
"references": [
"https://www.suse.com/security/cve/CVE-2016-10045.html",
"https://security.archlinux.org/CVE-2016-10045",
"https://packetstormsecurity.com/files/cve/CVE-2016-10045"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2016-10045"
],
"details": "The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.",
"id": "GSD-2016-10045",
"modified": "2023-12-13T01:21:26.772243Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10045",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"
},
{
"name": "42221",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"name": "40969",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40969/"
},
{
"name": "20161228 PHPMailer \u003c 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539967/100/0/threaded"
},
{
"name": "[oss-security] 20161228 Re: PHPMailer \u003c 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2016/12/28/1"
},
{
"name": "https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"
},
{
"name": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20",
"refsource": "CONFIRM",
"url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20"
},
{
"name": "40986",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
"refsource": "MISC",
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"
},
{
"name": "95130",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95130"
},
{
"name": "https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html",
"refsource": "MISC",
"url": "https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"
},
{
"name": "20161227 PHPMailer \u003c 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2016/Dec/81"
},
{
"name": "1037533",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037533"
},
{
"name": "https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html",
"refsource": "CONFIRM",
"url": "https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "5.2.18||5.2.19",
"affected_versions": "Version 5.2.18, version 5.2.19",
"credit": "Dawid Golunski",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-77",
"CWE-937"
],
"date": "2018-10-09",
"description": "The patch for CVE-2016-10033 vulnerability added in PHPMailer sanitizes the `$Sender` variable by applying `escapeshellarg()` escaping before the value is passed to `mail()` function. It does not however take into account the clashing of the `escapeshellarg()` function with internal escaping with `escapeshellcmd()` performed by `mail()` function on the 5th parameter. As a result it is possible to inject an extra quote that does not get properly escaped and break out of the `escapeshellarg()` protection applied by the patch in PHPMailer ",
"fixed_versions": [
"5.2.20"
],
"identifier": "CVE-2016-10045",
"identifiers": [
"CVE-2016-10045"
],
"package_slug": "packagist/phpmailer/phpmailer",
"pubdate": "2016-12-30",
"solution": "Upgrade to version 5.2.20.",
"title": "Remote Code Execution (0day Patch Bypass/exploit)",
"urls": [
"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html",
"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"
],
"uuid": "2806fe84-1e8f-411d-b3dd-b209a88a33c5"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.2.20",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.7",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.6.5",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10045"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "40969",
"refsource": "EXPLOIT-DB",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40969/"
},
{
"name": "https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"
},
{
"name": "https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"
},
{
"name": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20"
},
{
"name": "https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"
},
{
"name": "95130",
"refsource": "BID",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95130"
},
{
"name": "20161227 PHPMailer \u003c 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)",
"refsource": "FULLDISC",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2016/Dec/81"
},
{
"name": "http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html"
},
{
"name": "[oss-security] 20161228 Re: PHPMailer \u003c 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2016/12/28/1"
},
{
"name": "http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"
},
{
"name": "http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"
},
{
"name": "1037533",
"refsource": "SECTRACK",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1037533"
},
{
"name": "42221",
"refsource": "EXPLOIT-DB",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"name": "40986",
"refsource": "EXPLOIT-DB",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "20161228 PHPMailer \u003c 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)",
"refsource": "BUGTRAQ",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/539967/100/0/threaded"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2021-09-30T16:30Z",
"publishedDate": "2016-12-30T19:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…