CVE-2015-8476 - Vulnerability Details - OpenCVE

Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Phpmailer Project	Phpmailer

Configuration 1 [-]

OR	cpe:2.3:o:debian:debian_linux:6.0:::::::*
	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*

Configuration 2 [-]

cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html
http://www.debian.org/security/2015/dsa-3416
http://www.openwall.com/lists/oss-security/2015/12/04/5
http://www.openwall.com/lists/oss-security/2015/12/05/1
http://www.securityfocus.com/bid/78619
https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-12-16T21:00:00.000Z

Updated: 2024-08-06T08:20:42.645Z

Reserved: 2015-12-04T00:00:00.000Z

Link: CVE-2015-8476

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-12-16T21:59:05.313

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-8476

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-11-01T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-02T20:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0"}, {"name": "FEDORA-2015-39522bb8c9", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html"}, {"name": "[oss-security] 20151204 Re: CVE Request: PHPMailer Message Injection Vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/05/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14"}, {"name": "DSA-3416", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3416"}, {"name": "FEDORA-2015-abf9659276", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html"}, {"name": "78619", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/78619"}, {"name": "[oss-security] 20151204 CVE Request: PHPMailer Message Injection Vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/04/5"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8476", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0", "refsource": "CONFIRM", "url": "https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0"}, {"name": "FEDORA-2015-39522bb8c9", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html"}, {"name": "[oss-security] 20151204 Re: CVE Request: PHPMailer Message Injection Vulnerability", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/05/1"}, {"name": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14", "refsource": "CONFIRM", "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14"}, {"name": "DSA-3416", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3416"}, {"name": "FEDORA-2015-abf9659276", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html"}, {"name": "78619", "refsource": "BID", "url": "http://www.securityfocus.com/bid/78619"}, {"name": "[oss-security] 20151204 CVE Request: PHPMailer Message Injection Vulnerability", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/04/5"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:20:42.645Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0"}, {"name": "FEDORA-2015-39522bb8c9", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html"}, {"name": "[oss-security] 20151204 Re: CVE Request: PHPMailer Message Injection Vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/12/05/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14"}, {"name": "DSA-3416", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3416"}, {"name": "FEDORA-2015-abf9659276", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html"}, {"name": "78619", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/78619"}, {"name": "[oss-security] 20151204 CVE Request: PHPMailer Message Injection Vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/12/04/5"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8476", "datePublished": "2015-12-16T21:00:00.000Z", "dateReserved": "2015-12-04T00:00:00.000Z", "dateUpdated": "2024-08-06T08:20:42.645Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*", "matchCriteriaId": "B541AF92-B6BD-4D45-AE93-F5DA2E3B3490", "versionEndIncluding": "5.2.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n CRLF en PHPMailer en versiones anteriores a 5.2.14 permite a atacantes inyectar comandos SMTP arbitrarios a trav\u00e9s de secuencias CRLF en (1) una direcci\u00f3n de correo electr\u00f3nico de la funci\u00f3n validateAddress en class.phpmailer.php o (2) un comando SMTP de la funci\u00f3n sendCommand en class.smtp.php, una vulnerabilidad diferente a CVE-2012-0796."}], "id": "CVE-2015-8476", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-12-16T21:59:05.313", "references": [{"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2015/dsa-3416"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/12/04/5"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/12/05/1"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/78619"}, {"source": "cve@mitre.org", "url": "https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3416"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/12/04/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/12/05/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/78619"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}