- Release Date: January 22, 2019
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Vulnerability Type: Object Injection
- Affected Versions: 3.0.9 and below
- Severity: High
- Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
- CVE: not assigned yet
It was discovered that included 3rd party library PHPMailer is prone to a PHP object injection vulnerability, potentially allowing a remote attacker to execute arbitrary code.
An updated version 3.0.10 is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/mkmailer/3.0.10/zip/.
Users of the extension are advised to update the extension as soon as possible.
Note: Versions 3.0.1 - 3.0.9 of the extension has been released on GitHub only, but are vulnerable too.
Thanks to Security Team Member Torben Hansen who reported the vulnerability.