gsd-2016-10045
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2016-10045",
"description": "The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.",
"id": "GSD-2016-10045",
"references": [
"https://www.suse.com/security/cve/CVE-2016-10045.html",
"https://security.archlinux.org/CVE-2016-10045",
"https://packetstormsecurity.com/files/cve/CVE-2016-10045"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2016-10045"
],
"details": "The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.",
"id": "GSD-2016-10045",
"modified": "2023-12-13T01:21:26.772243Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10045",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"
},
{
"name": "42221",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"name": "40969",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40969/"
},
{
"name": "20161228 PHPMailer \u003c 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539967/100/0/threaded"
},
{
"name": "[oss-security] 20161228 Re: PHPMailer \u003c 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2016/12/28/1"
},
{
"name": "https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"
},
{
"name": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20",
"refsource": "CONFIRM",
"url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20"
},
{
"name": "40986",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
"refsource": "MISC",
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"
},
{
"name": "95130",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95130"
},
{
"name": "https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html",
"refsource": "MISC",
"url": "https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"
},
{
"name": "20161227 PHPMailer \u003c 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2016/Dec/81"
},
{
"name": "1037533",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037533"
},
{
"name": "https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html",
"refsource": "CONFIRM",
"url": "https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "5.2.18||5.2.19",
"affected_versions": "Version 5.2.18, version 5.2.19",
"credit": "Dawid Golunski",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-77",
"CWE-937"
],
"date": "2018-10-09",
"description": "The patch for CVE-2016-10033 vulnerability added in PHPMailer sanitizes the `$Sender` variable by applying `escapeshellarg()` escaping before the value is passed to `mail()` function. It does not however take into account the clashing of the `escapeshellarg()` function with internal escaping with `escapeshellcmd()` performed by `mail()` function on the 5th parameter. As a result it is possible to inject an extra quote that does not get properly escaped and break out of the `escapeshellarg()` protection applied by the patch in PHPMailer ",
"fixed_versions": [
"5.2.20"
],
"identifier": "CVE-2016-10045",
"identifiers": [
"CVE-2016-10045"
],
"package_slug": "packagist/phpmailer/phpmailer",
"pubdate": "2016-12-30",
"solution": "Upgrade to version 5.2.20.",
"title": "Remote Code Execution (0day Patch Bypass/exploit)",
"urls": [
"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html",
"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"
],
"uuid": "2806fe84-1e8f-411d-b3dd-b209a88a33c5"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.2.20",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.7",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.6.5",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10045"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "40969",
"refsource": "EXPLOIT-DB",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40969/"
},
{
"name": "https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"
},
{
"name": "https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"
},
{
"name": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20"
},
{
"name": "https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"
},
{
"name": "95130",
"refsource": "BID",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95130"
},
{
"name": "20161227 PHPMailer \u003c 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)",
"refsource": "FULLDISC",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2016/Dec/81"
},
{
"name": "http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html"
},
{
"name": "[oss-security] 20161228 Re: PHPMailer \u003c 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2016/12/28/1"
},
{
"name": "http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"
},
{
"name": "http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"
},
{
"name": "1037533",
"refsource": "SECTRACK",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1037533"
},
{
"name": "42221",
"refsource": "EXPLOIT-DB",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42221/"
},
{
"name": "40986",
"refsource": "EXPLOIT-DB",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40986/"
},
{
"name": "20161228 PHPMailer \u003c 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)",
"refsource": "BUGTRAQ",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/539967/100/0/threaded"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2021-09-30T16:30Z",
"publishedDate": "2016-12-30T19:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.