Live Helper Chat support forum.. Forum is locked. New place for questions - Github Discussions

You are not logged in.

Announcement

#1 2016-12-28 07:32:46

speed4trade
Member
Registered: 2016-12-28
Posts: 2

CVE-2016-10033 vulnerable PHPMailer used (version 5.0.2)

Hello,

a vulnerability has been detected in PHPMailer below version 5.2.18 which will allow remote code execution.
For details see:
https://legalhackers.com/advisories/PHP … -Vuln.html

Is it planned to update the used PHPMailer in version 5.0.2 to a current version which fixes the vulnerability?

Thank you in advance!
Tom

Offline

#2 2016-12-28 07:35:04

remdex
Administrator
From: Lithuania
Registered: 2012-09-23
Posts: 3,661
Website

Re: CVE-2016-10033 vulnerable PHPMailer used (version 5.0.2)

Yes, i'll update this evening. It's little risk in lhc itself, because sender is set only from back office as admin user.

Offline

#3 2016-12-28 07:48:43

speed4trade
Member
Registered: 2016-12-28
Posts: 2

Re: CVE-2016-10033 vulnerable PHPMailer used (version 5.0.2)

ok, thank you for this information. I just read that the first fix is also buggy and resulted in a new CVE:
https://legalhackers.com/advisories/PHP … ypass.html
Maybe it is good to wait till a final fix is available.

Offline

#4 2016-12-28 12:53:54

remdex
Administrator
From: Lithuania
Registered: 2012-09-23
Posts: 3,661
Website

Re: CVE-2016-10033 vulnerable PHPMailer used (version 5.0.2)

Offline

Board footer