Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 626060 (CVE-2017-11503)

Summary: dev-php/PHPMailer: XSS in code_generator.php (CVE-2017-11503)
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Aleksandr Wagner (Kivak) 2017-07-24 17:27:14 UTC
PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php. 

CVE Details:


Note: The CVE details states that 5.2.23 is vulnerable while the references say that all versions prior to 5.2.23 are vulnerable. Please look this over.
Comment 1 Michael Orlitzky gentoo-dev 2017-07-24 19:53:32 UTC
The reported problem is in an example, and not in the PHPMailer code. I don't see any upstream activity at all regarding this CVE (did anyone report it...?), so I presume the problem still exists.

As a quick workaround, I just dropped that vulnerable example from our ebuild.