Vulnerability Details : CVE-2016-10033
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Vulnerability category: Execute code
At least one public exploit which can be used to exploit this vulnerability exists!
Threat overview for CVE-2016-10033
Top countries where our scanners detected CVE-2016-10033
Top open port discovered on systems with this issue
80
IPs affected by CVE-2016-10033 28
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-10033!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-10033
Probability of exploitation activity in the next 30 days: 97.46%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2016-10033
-
PHPMailer Sendmail Argument Injection
Disclosure Date: 2016-12-26First seen: 2020-04-26exploit/multi/http/phpmailer_arg_injectionPHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This -
WordPress PHPMailer Host Header Command Injection
Disclosure Date: 2017-05-03First seen: 2020-04-26exploit/unix/webapp/wp_phpmailer_host_headerThis module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability.
CVSS scores for CVE-2016-10033
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
nvd@nist.gov |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
nvd@nist.gov |
CWE ids for CVE-2016-10033
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-10033
-
http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html
PHPMailer Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18
Release PHPMailer 5.2.18 · PHPMailer/PHPMailer · GitHubPatch;Vendor Advisory
-
https://www.exploit-db.com/exploits/40968/
PHPMailer < 5.2.18 - Remote Code Execution (Bash)Exploit;Patch;Third Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2016/Dec/78
Full Disclosure: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]Mailing List;Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/95108
PHPMailer CVE-2016-10033 Remote Code Execution VulnerabilityExploit;Third Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/42221/
PHPMailer < 5.2.20 with Exim MTA - Remote Code ExecutionExploit;Third Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/40970/
PHPMailer < 5.2.18 - Remote Code Execution (PHP)Exploit;Patch;Third Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1037533
PHPMailer Input Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/40986/
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code ExecutionExploit;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/archive/1/539963/100/0/threaded
SecurityFocusThird Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/40969/
PHPMailer < 5.2.20 - Remote Code ExecutionExploit;Third Party Advisory;VDB Entry
-
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-VulnExploit;Patch;Third Party Advisory
-
https://www.exploit-db.com/exploits/42024/
WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit)Exploit;Third Party Advisory;VDB Entry
-
https://www.drupal.org/psa-2016-004
PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004 | Drupal.orgThird Party Advisory
-
https://www.exploit-db.com/exploits/41996/
Vanilla Forums < 2.3 - Remote Code ExecutionExploit;Third Party Advisory;VDB Entry
-
http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
PHPMailer Sendmail Argument InjectionExploit;Third Party Advisory
-
http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html
PHPMailer Sendmail Argument Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html
[20161205] - PHPMailer Security AdvisoryThird Party Advisory
-
https://www.exploit-db.com/exploits/40974/
PHPMailer < 5.2.18 - Remote Code Execution (Python)Exploit;Third Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/41962/
WordPress 4.6 - Remote Code ExecutionExploit;Third Party Advisory;VDB Entry
-
https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
About the CVE 2016 10033 and CVE 2016 10045 vulnerabilities · PHPMailer/PHPMailer Wiki · GitHubPatch;Vendor Advisory
Products affected by CVE-2016-10033
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
- cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*