CVE-2016-10033
KEV
🔴 Łataj teraz
Wykonanie kodu zdalnie w PHPMailer umożliwia wstrzyknięcie parametrów przez właściwość Sender.
CVSS
9.8
EPSS
94.5%
Exploit
weaponized
Vendor
joomla
Opis źródłowy (NVD)
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
exploit
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 94.5% |
| Opublikowano (NVD) | 2016-12-30 19:59:00 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-21 16:27:03 UTC |
Referencje
- http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- http://seclists.org/fulldisclosure/2016/Dec/78 (cve@mitre.org) [Mailing List, Patch, Third Party Advisory]
- http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection (cve@mitre.org) [Exploit, Third Party Advisory]
- http://www.securityfocus.com/archive/1/539963/100/0/threaded (cve@mitre.org) [Broken Link, Third Party Advisory, VDB Entry]
- http://www.securityfocus.com/bid/95108 (cve@mitre.org) [Broken Link, Exploit, Third Party Advisory, VDB Entry]
- http://www.securitytracker.com/id/1037533 (cve@mitre.org) [Broken Link, Third Party Advisory, VDB Entry]
- https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html (cve@mitre.org) [Third Party Advisory]
- https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18 (cve@mitre.org) [Patch, Vendor Advisory]
- https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities (cve@mitre.org) [Patch, Vendor Advisory]
- https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html (cve@mitre.org) [Exploit, Patch, Third Party Advisory]
- https://www.drupal.org/psa-2016-004 (cve@mitre.org) [Third Party Advisory]
- https://www.exploit-db.com/exploits/40968/ (cve@mitre.org) [Exploit, Patch, Third Party Advisory, VDB Entry]
- https://www.exploit-db.com/exploits/40969/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- https://www.exploit-db.com/exploits/40970/ (cve@mitre.org) [Exploit, Patch, Third Party Advisory, VDB Entry]
- https://www.exploit-db.com/exploits/40974/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- https://www.exploit-db.com/exploits/40986/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- https://www.exploit-db.com/exploits/41962/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- https://www.exploit-db.com/exploits/41996/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- https://www.exploit-db.com/exploits/42024/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- https://www.exploit-db.com/exploits/42221/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10033 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]