Upgrade phpmailer/phpmailer to version 6.0.6 or later. For example:
"require": {
"phpmailer/phpmailer": "6.0.6"
}
Always verify the validity and compatibility of suggestions with your codebase.
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing phar:// paths into addAttachment() and other functions that may receive unfiltered local paths, possibly leading to RCE. See this article for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as phar://. Reported by Sehun Oh of cyberone.kr.
Remediation
Upgrade phpmailer/phpmailer to version 6.0.6 or later. For example:
"require": { "phpmailer/phpmailer": "6.0.6" } Always verify the validity and compatibility of suggestions with your codebase.
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing phar:// paths into addAttachment() and other functions that may receive unfiltered local paths, possibly leading to RCE. See this article for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as phar://. Reported by Sehun Oh of cyberone.kr.