View Issue Details

IDProjectCategoryView StatusLast Update
0028530mantisbtsecuritypublic2021-06-17 03:05
Reporterdregad Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityN/A
Status closedResolutionfixed 
Product Version2.25.0 
Target Version2.25.1Fixed in Version2.25.1 
Summary0028530: Update PHPMailer to 6.4.1 (fixes CVE-2020-36326)
Description

PHPMailer 6.4.1 is a security release.

Fixes https://nvd.nist.gov/vuln/detail/CVE-2020-36326

This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for .phar files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one.

PHPMailer versions >=6.1.8, <6.4.1 are affected; we're currently using 6.3.0, since 2.25.0; earlier MantisBT versions are not affected (2.24.2 was on PHPMailer 6.1.6).

PR: https://github.com/mantisbt/mantisbt/pull/1751

TagsNo tags attached.

Relationships

related to 0027118 closeddregad Update PHPMailer to 6.3.0 
related to 0028821 closeddregad Update PHPMailer to 6.5.0 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-2.25 9cbe1cbb

2021-04-29 21:35

dependabot-preview[bot]

Committer: dregad


Details Diff
Bump phpmailer/phpmailer from 6.3.0 to 6.4.1

Bumps [phpmailer/phpmailer](https://github.com/PHPMailer/PHPMailer) from 6.3.0 to 6.4.1.
- [Release notes](https://github.com/PHPMailer/PHPMailer/releases)
- [Changelog](https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md)
- [Commits](https://github.com/PHPMailer/PHPMailer/compare/v6.3.0...v6.4.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Fixes 0028530, PR https://github.com/mantisbt/mantisbt/pull/1751
Affected Issues
0028530
mod - composer.lock Diff File