PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11503 References: https://packetstormsecurity.com/files/143138/phpmailer-xss.txt https://cxsecurity.com/issue/WLB-2017060181 http://www.securityfocus.com/bid/99293/info Note: The CVE details states that 5.2.23 is vulnerable while the references say that all versions prior to 5.2.23 are vulnerable. Please look this over.
The reported problem is in an example, and not in the PHPMailer code. I don't see any upstream activity at all regarding this CVE (did anyone report it...?), so I presume the problem still exists. As a quick workaround, I just dropped that vulnerable example from our ebuild.