Description
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Remediation
References
Related Vulnerabilities
ProjectSend Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2024-7658)
WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-39200)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-15110)
Python Uncontrolled Resource Consumption Vulnerability (CVE-2012-0876)
WordPress Plugin WP Job Manager PHP Object Injection (1.29.2)