Intruder Vulnerability Bulletin — PHPMailer Code Execution Vulnerability
A vulnerability in the PHPMailer library was recently discovered, which affects versions of the software before 5.2.18.
If successfully exploited, this weakness allow a remote attacker to compromise the affected system by executing arbitrary commands.
It’s worth noting that, whether an application using the library is vulnerable, and how easily it is to exploit, depends heavily on how the library was used in each instance. Information has not currently been released regarding how this vulnerability might affect 3rd party software which uses the library (eg. WordPress, Joomla, SugarCRM, 1CRM, Yii, and more).
Software using the PHPMailer library should be updated at the next available opportunity. Until the vulnerability is patched within 3rd party software, one workaround is to update the library yourself (eg. updating the “/libraries/vendor/phpmailer/” directory in Joomla), though we expect to start seeing vendor updates released over the next few days.
Further details of this vulnerability can be found at: