VDB

CVE-2017-5223

CVE-2017-5223 PUBLISHED

An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an unfiltered, user-supplied HTML document, and must not set a base directory.

EPSS 2.92% · 86.7th percentile

Risk Scores

EPSS Score
2.92%
86.7th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:16.04:LTSlibphp-phpmailer0, 5.2.14+dfsg-1, 5.2.14+dfsg-1build1

Exploit Intelligence

…and 9 more exploits

Timeline

  • Jan 16, 2017 CVE Published
  • Oct 26, 2017 PoC Published
  • Oct 28, 2017 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • May 2, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Nov 6, 2022 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Mar 11, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›