CVE-2016-10033 | THREATINT

Description

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Reserved 2016-12-22 | Published 2016-12-30 | Updated 2025-07-07 | Assigner mitre

CISA Known Exploited Vulnerability

Date added 2025-07-07 | Due date 2025-07-28

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

References

packetstormsecurity.com/...-Sendmail-Argument-Injection.html

www.drupal.org/psa-2016-004

www.exploit-db.com/exploits/42221/ (42221) exploit

www.exploit-db.com/exploits/40969/ (40969) exploit

www.exploit-db.com/exploits/41962/ (41962) exploit

www.exploit-db.com/exploits/40968/ (40968) exploit

legalhackers.com/...emote-Code-Exec-CVE-2016-10033-Vuln.html

github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18

www.securityfocus.com/archive/1/539963/100/0/threaded (20161227 PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]) mailing-list

github.com/...-2016-10033-and-CVE-2016-10045-vulnerabilities

packetstormsecurity.com/...Mailer-Remote-Code-Execution.html

www.exploit-db.com/exploits/40974/ (40974) exploit

www.exploit-db.com/exploits/40986/ (40986) exploit

www.exploit-db.com/exploits/40970/ (40970) exploit

www.rapid7.com/...exploit/multi/http/phpmailer_arg_injection

www.exploit-db.com/exploits/41996/ (41996) exploit

seclists.org/fulldisclosure/2016/Dec/78 (20161227 PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]) mailing-list

www.securityfocus.com/bid/95108 (95108) vdb-entry

www.securitytracker.com/id/1037533 (1037533) vdb-entry

developer.joomla.org/...205-phpmailer-security-advisory.html

www.exploit-db.com/exploits/42024/ (42024) exploit

cve.org (CVE-2016-10033)

nvd.nist.gov (CVE-2016-10033)

Download JSON