[Security Advisory] Phar object injection in PHPMailer - CVE-2018-19296

system · May 27, 2021, 1:29pm

Originally published at: [Security Advisory] Phar object injection in PHPMailer - CVE-2018-19296

PHPMailer version used in OXID eShop seems to be vulnerable. Fortunately, we do not use this vulnerable method in core. Please check your extensions/modules for using the vulnerable method and fix with the proposed workaround!

Mario_Lorenz · May 27, 2021, 2:39pm

Unfortunately, the non-official workaround didn’t work for me, but I have an alternative that works independently of Linux:

For our installations, i still use the metapackages from OXID (“oxid-esales / oxideshop-metapackage-ce”: “v6.3.0”).

The phpMailer version is firmly defined there (“phpmailer / phpmailer”: “v6.4.0”).

Until the next OXID release I have added the following entry in our central composer.json in the require area: “phpmailer / phpmailer”: “v6.4.1 as v6.4.0”,

This will install version v6.4.1.

vanilla_thunder · May 27, 2021, 3:15pm

shouldn’t it be like that?

“phpmailer / phpmailer”: “v6.4.1 as v6.4.0”,

Mario_Lorenz · May 27, 2021, 4:50pm

Ahm, you are right. I’ve corrected it.