[phpmailer/phpmailer] PHPMailer vulnerable to email header injection

Impact

Arbitrary additional email headers can be injected via crafted From or Sender headers.

Patches

Fixed in 2.2.1

Workarounds

Filter user-supplied values prior to using them in From or Sender properties.

References

https://nvd.nist.gov/vuln/detail/CVE-2012-0796

For more information

If you have any questions or comments about this advisory:

• Open a private issue in the PHPMailer project

References

• https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-398j-f7m7-795j
• https://github.com/advisories/GHSA-398j-f7m7-795j