Advisory ID: DRUPAL-SA-PSA-2016-004
Project: PHPMailer (third-party library)
Version: 7.x, 8.x
Security risk: 23/25 ( Highly Critical) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
Vulnerability: Arbitrary PHP code execution
The PHPMailer and SMTP modules (and maybe others) add support for sending e-mails using the 3rd party PHPMailer library.
In general the Drupal project does not create advisories for 3rd party libraries. Drupal site maintainers should pay attention to the notifications provided by those 3rd party libraries as outlined in PSA-2011-002 – External libraries and plugins. However, given the extreme criticality of this issue and the timing of its release we are issuing a Public Service Announcement to alert potentially affected Drupal site maintainers.
CVE identifier(s) issued
All versions of the external PHPMailer library < 5.2.18.
Drupal core is not affected. If you do not use the contributed PHPMailer third party library, there is nothing you need to do.
Upgrade to the newest version of the phpmailler library. https://github.com/PHPMailer/PHPMailer
If you are using the
Original URL: https://www.drupal.org/psa-2016-004