Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626060 (CVE-2017-11503) - dev-php/PHPMailer: XSS in code_generator.php (CVE-2017-11503)
Summary: dev-php/PHPMailer: XSS in code_generator.php (CVE-2017-11503)
Status: RESOLVED FIXED
Alias: CVE-2017-11503
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-24 17:27 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-07-27 15:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-07-24 17:27:14 UTC
PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php. 

CVE Details:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11503

References:

https://packetstormsecurity.com/files/143138/phpmailer-xss.txt
https://cxsecurity.com/issue/WLB-2017060181
http://www.securityfocus.com/bid/99293/info

Note: The CVE details states that 5.2.23 is vulnerable while the references say that all versions prior to 5.2.23 are vulnerable. Please look this over.
Comment 1 Michael Orlitzky gentoo-dev 2017-07-24 19:53:32 UTC
The reported problem is in an example, and not in the PHPMailer code. I don't see any upstream activity at all regarding this CVE (did anyone report it...?), so I presume the problem still exists.

As a quick workaround, I just dropped that vulnerable example from our ebuild.