PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2021-04-28T02:21:53
Updated: 2024-08-04T17:23:10.518Z
Reserved: 2021-04-28T00:00:00
Link: CVE-2020-36326
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-04-28T03:15:07.400
Modified: 2024-11-21T05:29:17.330
Link: CVE-2020-36326
Redhat
No data.