Key Points
A number of vulnerabilities were recently discovered, which affect email sending functionality in the following software libraries:
- PHPMailer < 5.2.20
- SwiftMailer < 5.4.5-DEV
- ZendFramework Mail < 2.4.11 (inc. zend-mail < 2.4.11 & < 2.7.2)
If successfully exploited, these weaknesses allow a remote attacker to compromise the affected system by executing arbitrary commands.As with last week’s bulletin about PHPMailer (which is affected once again), it’s worth noting that, whether an application using these libraries is vulnerable, and how easily it is to exploit, depends heavily on how the libraries are used in each instance. Information has not currently been released regarding how these vulnerabilities might affect 3rd party software which use the libraries (eg. WordPress, Joomla, SugarCRM, 1CRM, Yii, Symfony, Laravel and more).Software using these libraries should be updated at the next available opportunity. Until the vulnerability is patched within 3rd party software, one workaround is to update the libraries yourself, though we expect to start seeing vendor updates released over the next few days.Further details of these vulnerabilities can be found at:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
