{"id":"CVE-2016-10045","details":"The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.","aliases":["GHSA-4pc3-96mx-wwc8"],"modified":"2026-04-11T19:42:01.296988Z","published":"2016-12-30T19:59:00.247Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/archive/1/539967/100/0/threaded"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1037533"},{"type":"ADVISORY","url":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"},{"type":"ADVISORY","url":"https://www.exploit-db.com/exploits/40986/"},{"type":"ADVISORY","url":"https://www.exploit-db.com/exploits/42221/"},{"type":"FIX","url":"http://openwall.com/lists/oss-security/2016/12/28/1"},{"type":"FIX","url":"http://seclists.org/fulldisclosure/2016/Dec/81"},{"type":"FIX","url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20"},{"type":"FIX","url":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"},{"type":"FIX","url":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"},{"type":"EVIDENCE","url":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"},{"type":"EVIDENCE","url":"http://www.securityfocus.com/bid/95130"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/40969/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/joomla/joomla-cms","events":[{"introduced":"0"},{"last_affected":"6a169d998767373c4e0d21ef37ad04d55d67998d"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.5.0"},{"last_affected":"3.6.5"}]}}],"versions":["1.7.3","2.5.0","2.5.0_beta1","2.5.0_beta2","2.5.1","2.5.4","2.5.5","2.5.6","3.0.0","3.0.0_alpha-1","3.0.0_alpha-2","3.0.0_beta1","3.0.1","3.0.3","3.1.0_beta1","3.1.0_beta2","3.1.0_beta3","3.1.0_beta4","3.1.0_beta5","3.1.1","3.1.5","3.2.0","3.2.0.alpha","3.2.0.beta","3.2.0.rc","3.2.1","3.2.2","3.2.3","3.2.4","3.3.0","3.4.0","3.4.0-beta1","3.4.0-beta2","3.4.0-beta3","3.4.0-rc","3.4.1","3.4.1-rc","3.4.1-rc2","3.4.2","3.4.2-rc","3.4.3","3.4.4","3.4.4-rc","3.4.4-rc2","3.4.5","3.5.0","3.5.0-beta","3.5.0-beta2","3.5.0-beta3","3.5.0-beta4","3.5.0-beta5","3.5.0-rc","3.5.0-rc2","3.5.0-rc4","3.5.1","3.5.1-rc","3.5.1-rc2","3.6.0","3.6.0-alpha","3.6.0-beta1","3.6.0-beta2","3.6.0-rc","3.6.0-rc2","3.6.1","3.6.1-rc1","3.6.1-rc2","3.6.2","3.6.3","3.6.3-rc1","3.6.3-rc2","3.6.3-rc3","3.6.4","3.6.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10045.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/phpmailer/phpmailer","events":[{"introduced":"0"},{"fixed":"efde5edb3da8e1d257e030e3c2d922c4de6e5d09"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"5.2.20"}]}}],"versions":["v2.2.1","v5.2.0","v5.2.1","v5.2.10","v5.2.13","v5.2.14","v5.2.15","v5.2.16","v5.2.17","v5.2.18","v5.2.19","v5.2.2","v5.2.4","v5.2.5","v5.2.6","v5.2.7","v5.2.8","v5.2.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10045.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"0"},{"last_affected":"14247ee4302378d292863865c643abe99bbfe3c7"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"4.7"}]}}],"versions":["4.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10045.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}