Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#33935] - Code injection vulnerability

?
avatar joomleb
joomleb
18 May 2021

Hi guys,
PHP 7.4.16 + Joomla 3.9.26 (also on a Joomla 4.0 beta 5 installation)

the Server Patchman scan has reported a:

Code injection vulnerability in PHPMailer
/home/.../libraries/vendor/phpmailer/phpmailer/src/PHPMailer.php

avatar joomleb joomleb - open - 18 May 2021
avatar joomla-cms-bot joomla-cms-bot - change - 18 May 2021
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 18 May 2021
avatar joomleb joomleb - change - 18 May 2021
The description was changed
avatar joomleb joomleb - edited - 18 May 2021
avatar HLeithner
HLeithner - comment - 18 May 2021

First, please don't report security issues on the public tracker. Send an email to security@joomla.org

If your report is about CVE-2020-36326 is likely invalid for Joomla 3.9.26 because only effects 6.1.8 - 6.4.0 - however, Joomla 3 uses PHPMailer 5.x which is unaffected by that issue.

But for further investigation please send the modified file to security@joomla.org

Joomla 4 is not covered by the JSST until it's released never the less we will update phpmailer before next tagged version.

avatar HLeithner HLeithner - change - 18 May 2021
Status New Closed
Closed_Date 0000-00-00 00:00:00 2021-05-18 07:52:49
Closed_By HLeithner
avatar HLeithner HLeithner - close - 18 May 2021

Add a Comment

Login with GitHub to post a comment