PHPMailer vulnerability prior to v5.2.18

[sentq]

there is a vulnerability discovered in PHPMailer, WHMCS v7.1 use (v5.2.16)

 

the critical vulnerability (CVE-2016-10033) allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.

All versions of PHPMailer before the critical release of PHPMailer 5.2.18 are affected, so web administrators and developers are strongly recommended to update to the patched release.

 

http://thehackernews.com/2016/12/phpmailer-security.html

[zomex]

Let's hope WHMCS see this thread quickly

[wsa]

Maybe sent a ticket to them

[twhiting9275]

Yeah, opening a forum thread for critical issues, not exactly the fastest way to get a response

[WHMCS ChrisD]

Hey Everyone,

 

Our development team is aware of and investigating the impact of this on our code base. They will then determine the appropriate response. As soon as I have more information, I will update this thread.

[sentq]

The idea of opening this thread is to keep WHMCS users informed so they can update manually if WHMCS didn't release patch/fix specially in this time of the year.

[WHMCS Sean]

Here is an update from our development team:

 

The WHMCS development team has reviewed the recent changes to PHPMailer and the related information regarding CVE-2016-10033. While at this time we do not believe the deficiency in PHPMailer is exposed in WHMCS due to our own validation of user input, this CVE represents a serious issue for PHPMailer and therefore to mitigate any undiscovered risk we intend to deliver updates to PHPMailer for all versions of WHMCS in active and long term support. We anticipate delivering updates for WHMCS 7.x within the next 48 hours, and 6.2 and 6.3 shortly therafter.

[WHMCS Nate]

Hello,

 

We have released updated builds that contain version 5.2.21 of PHPMailer. You can learn more on our blog:

 

http://blog.whmcs.com/?t=123166

 

Have a great day,

 

Nate C