[Security Advisory] Phar object injection in PHPMailer – CVE-2018-19296

We have been receiving messages that we would deliver a vulnerable version of PHPMailer with OXID eShop versions 6.2.4 and 6.3.0 (and earlier) because of CVE-2018-19296.

After taking a deeper look at the actual impact, we can state that only method phpmailer::addAttachment() is affected in PHPMailer which is not used by OXID eShop (core installation) at all. However, it might be used in one of your extensions or modules. Please check that and inform/secure your clients accordingly!

Daniel Seifert @D³ gratefully found out that addAttachment() mighgt still be triggered by Email::sendBackupuMail() which seems not to be in use any more. We will deprecate this method as soon as possible.

As a non-official workaround, we can offer this composer command in order to install the latest and fixed PHPMailer version:

composer info | grep phpmailer/phpmailer | awk '{print "composer require phpmailer/phpmailer:\"v6.4.1 as "$2"\""}' | sh

Please let us know in your comments, if this works okay for you and your clients!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.