1. Home
  2. CVE Database
  3. CVE-2021-3603
HIGH · 8.1

CVE-2021-3603

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parame...

Vulnerability Description

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
Phpmailer ProjectPhpmailer<= 6.4.1
FedoraprojectFedora33

Related Weaknesses (CWE)

CWE-829

References

FAQ

What is CVE-2021-3603?

CVE-2021-3603 is a vulnerability with a CVSS score of 8.1 (HIGH). PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parame...

How severe is CVE-2021-3603?

CVE-2021-3603 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3603?

Check the references section above for vendor advisories and patch information. Affected products include: Phpmailer Project Phpmailer, Fedoraproject Fedora.