CVE-2015-8476 : Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via

Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.

Published 2015-12-16 21:59:05

Updated 2016-12-06 03:03:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Input validation

Exploit prediction scoring system (EPSS) score for CVE-2015-8476

Probability of exploitation activity in the next 30 days: 0.26%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 63 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2015-8476

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2015-8476

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-8476

https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14

Release PHPMailer 5.2.14 · PHPMailer/PHPMailer · GitHub
Vendor Advisory
http://www.securityfocus.com/bid/78619

PHPMailer 'class.phpmailer.php' Security Bypass Vulnerability
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html

[SECURITY] Fedora 23 Update: php-PHPMailer-5.2.14-1.fc23
http://www.openwall.com/lists/oss-security/2015/12/04/5

oss-security - CVE Request: PHPMailer Message Injection Vulnerability
http://www.openwall.com/lists/oss-security/2015/12/05/1

oss-security - Re: CVE Request: PHPMailer Message Injection Vulnerability
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html

[SECURITY] Fedora 22 Update: php-PHPMailer-5.2.14-1.fc22
https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0

Add test for line breaks in addresses vulnerability · PHPMailer/PHPMailer@6687a96 · GitHub
http://www.debian.org/security/2015/dsa-3416

Debian -- Security Information -- DSA-3416-1 libphp-phpmailer

Products affected by CVE-2015-8476

Debian » Debian Linux » Version: 6.0
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Phpmailer Project » Phpmailer
Versions up to, including, (<=) 5.2.13
cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2015-8476

Exploit prediction scoring system (EPSS) score for CVE-2015-8476

CVSS scores for CVE-2015-8476

CWE ids for CVE-2015-8476

References for CVE-2015-8476

Products affected by CVE-2015-8476