Candidate: CVE-2021-3603
PublicDate: 2021-06-17 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3603
 https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/
 https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3 (v6.5.0)
 https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3
Description:
 PHPMailer 6.4.1 and earlier contain a vulnerability that can result in
 untrusted code being called (if such code is injected into the host
 project's scope by other means). If the $patternselect parameter to
 validateAddress() is set to 'php' (the default, defined by
 PHPMailer::$validator), and the global namespace contains a function called
 php, it will be called in preference to the built-in validator of the same
 name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as
 validator function names.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_libphp-phpmailer:
upstream_libphp-phpmailer: needs-triage
trusty_libphp-phpmailer: ignored (out of standard support)
trusty/esm_libphp-phpmailer: DNE
xenial_libphp-phpmailer: ignored (out of standard support)
bionic_libphp-phpmailer: needs-triage
focal_libphp-phpmailer: needs-triage
groovy_libphp-phpmailer: ignored (reached end-of-life)
hirsute_libphp-phpmailer: ignored (reached end-of-life)
impish_libphp-phpmailer: needs-triage
jammy_libphp-phpmailer: needs-triage
devel_libphp-phpmailer: needs-triage