[Security Advisory] Phar object injection in PHPMailer – CVE-2018-19296

We have been receiving messages that we would deliver a vulnerable version of PHPMailer with OXID eShop versions 6.2.4 and 6.3.0 (and earlier) because of CVE-2018-19296.

After taking a deeper look at the actual impact, we can state that only method phpmailer::addAttachment() is affected in PHPMailer which is not used by OXID eShop (core installation) at all. However, it might be used in one of your extensions or modules. Please check that and inform/secure your clients accordingly!

Daniel Seifert @D³ gratefully found out that addAttachment() mighgt still be triggered by Email::sendBackupuMail() which seems not to be in use any more. We will deprecate this method as soon as possible.

As a non-official workaround, we can offer this composer command in order to install the latest and fixed PHPMailer version:

composer info | grep phpmailer/phpmailer | awk '{print "composer require phpmailer/phpmailer:\"v6.4.1 as "$2"\""}' | sh

Please let us know in your comments, if this works okay for you and your clients!


  1. Unfortunately, the non-official workaround didn’t work for me, but I have an alternative that works independently of Linux:

    For our installations, i still use the metapackages from OXID (“oxid-esales / oxideshop-metapackage-ce”: “v6.3.0”).

    The phpMailer version is firmly defined there (“phpmailer / phpmailer”: “v6.4.0”).

    Until the next OXID release I have added the following entry in our central composer.json in the require area: “phpmailer / phpmailer”: “v6.4.1 as v6.4.0”,

    This will install version v6.4.1.

  2. shouldn’t it be like that?

    “phpmailer / phpmailer”: “v6.4.1 as v6.4.0”,

  3. Ahm, you are right. I’ve corrected it. :slight_smile:

Continue the discussion at --> OXID forums