PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| phpmailer/phpmailer(Packagist) | 6.1.8 | 6.4.1 | N/A |
CVSS Metrics
