<div id="emailbody" style="overflow-wrap: break-word; margin: 0px 2em; font-family: Arial, Helvetica, sans-serif; line-height: 12.6px; font-size: 9px;"><table style="overflow-wrap: break-word; border: 0px; padding: 0px; margin: 0px; width: 292px;"><tbody style="overflow-wrap: break-word;"><tr style="overflow-wrap: break-word;"><td width="99%" style="overflow-wrap: break-word; vertical-align: top;"><h1 style="overflow-wrap: break-word; margin: 0px; padding-bottom: 6px;"><a rel="nofollow" target="_blank" href="https://developer.joomla.org/security-centre.html" title="(https://developer.joomla.org/security-centre.html)" style="overflow-wrap: break-word; word-break: break-word; color: rgb(136, 136, 136); font-size: 22px; font-weight: normal; text-decoration: none;">Joomla! Security News</a></h1></td><td width="1%" style="overflow-wrap: break-word;"></td></tr></tbody></table><hr style="overflow-wrap: break-word; border-style: solid; border-color: rgb(204, 204, 204); padding: 0px; margin: 0px;"><table id="itemcontentlist" style="overflow-wrap: break-word;"><tbody style="overflow-wrap: break-word;"><tr style="overflow-wrap: break-word;"><td style="overflow-wrap: break-word; margin-bottom: 0px; line-height: 1.4em;"><p style="overflow-wrap: break-word; margin: 1em 0px 3px;"><a rel="nofollow" name="1" target="_blank" href="http://feedproxy.google.com/~r/JoomlaSecurityNews/~3/UNAIFBclIrU/668-20161205-phpmailer-security-advisory.html?utm_source=feedburner&utm_medium=email" style="overflow-wrap: break-word; word-break: break-word; color: rgb(0, 0, 153); font-weight: bold; text-decoration: none;">[20161205] - PHPMailer Security Advisory</a></p><p style="overflow-wrap: break-word; color: rgb(85, 85, 85); margin: 9px 0px 3px; line-height: 12.6px;"><span style="overflow-wrap: break-word;">Posted:</span> 27 Dec 2016 12:00 AM PST</p><div style="overflow-wrap: break-word; margin: 0px; line-height: 12.6px;" id="yMail_cursorElementTracker_1482870044077"><ul style="overflow-wrap: break-word; list-style-type: square; padding-left: 1em;"><li style="overflow-wrap: break-word; margin-bottom: 1em; margin-left: 1em;"><strong style="overflow-wrap: break-word;">Project:</strong> Joomla!</li><li style="overflow-wrap: break-word; margin-bottom: 1em; margin-left: 1em;"><strong style="overflow-wrap: break-word;">Severity:</strong> <span class="label label-important" style="overflow-wrap: break-word;">High</span></li><li style="overflow-wrap: break-word; margin-bottom: 1em; margin-left: 1em;"><strong style="overflow-wrap: break-word;">Versions:</strong> 1.6.0 through 3.6.5</li><li style="overflow-wrap: break-word; margin-bottom: 1em; margin-left: 1em;"><strong style="overflow-wrap: break-word;">Exploit type:</strong> Remote Code Execution in third-party PHPMailer library</li><li style="overflow-wrap: break-word; margin-bottom: 1em; margin-left: 1em;"><strong style="overflow-wrap: break-word;">CVE Number:</strong> <a rel="nofollow" target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033" style="overflow-wrap: break-word; word-break: break-word; color: rgb(0, 0, 153); font-weight: bold; text-decoration: none;">CVE-2016-10033</a></li></ul><h3 style="overflow-wrap: break-word;">Description</h3><p style="overflow-wrap: break-word;">All versions of the third-party PHPMailer library distributed with Joomla! versions up to 3.6.5 are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.18 which will be included with Joomla! 3.7. After analysis, the JSST has determined that through correct use of the JMail class, there are additional validations in place which make executing this vulnerability impractical within the Joomla environment. As well, the vulnerability requires being able to pass user input to a message’s “from” address; all places in the core Joomla API which send mail use the sender address set in the global configuration and does not allow for user input to be set elsewhere. However, extensions which bundle a separate version of PHPMailer or do not use the Joomla API to send email may be vulnerable to this issue.</p><p style="overflow-wrap: break-word;">Generally, the Joomla project does not issue advisories regarding third party libraries, however given the severity of this issue we felt it important to advise our users that we are aware of this issue and we have determined that the additional validations in our API prevent triggering this vulnerability.</p><h3 style="overflow-wrap: break-word;">Affected Installs</h3><p style="overflow-wrap: break-word;">Joomla! CMS versions 1.6.0 through 3.6.5</p><h3 style="overflow-wrap: break-word;">Solution</h3><p style="overflow-wrap: break-word;">No action required for Joomla users, the updated library will be included in the next scheduled release and additional mechanisms exist in Joomla core to prevent triggering the vulnerability. Users of the PHPMailer library separate from Joomla are advised to upgrade to 5.2.18 or newer ASAP.</p><h3 style="overflow-wrap: break-word;">Additional Resources</h3><ul style="overflow-wrap: break-word; list-style-type: square; padding-left: 1em;"><li style="overflow-wrap: break-word; margin-bottom: 1em; margin-left: 1em;"><a rel="nofollow" target="_blank" href="https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html" style="overflow-wrap: break-word; word-break: break-word; color: rgb(0, 0, 153); font-weight: bold; text-decoration: none;">https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html</a></li><li style="overflow-wrap: break-word; margin-bottom: 1em; margin-left: 1em;"><a rel="nofollow" target="_blank" href="https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md" style="overflow-wrap: break-word; word-break: break-word; color: rgb(0, 0, 153); font-weight: bold; text-decoration: none;">https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md</a></li></ul><h3 style="overflow-wrap: break-word;">Contact</h3><p style="overflow-wrap: break-word;">The JSST at the <a rel="nofollow" title="Contact the JSST" target="_blank" href="https://developer.joomla.org/security-centre.html" style="overflow-wrap: break-word; word-break: break-word; color: rgb(0, 0, 153); font-weight: bold; text-decoration: none;">Joomla! Security Centre</a>.</p><div class="alert alert-info" style="overflow-wrap: break-word;" id="yMail_cursorElementTracker_1482870044195"><strong style="overflow-wrap: break-word;">Reported By:</strong> Dawid Golunski</div></div></td></tr></tbody></table><table id="footer" style="overflow-wrap: break-word; border-top-width: 1px; border-top-style: solid; border-top-color: rgb(153, 153, 153); padding-top: 4px; margin-top: 1.5em; width: 292px;"><tbody style="overflow-wrap: break-word;"></tbody></table></div><div id="ymail_android_signature">James Ikua</div><div id="yMail_cursorElementTracker_1482870085003">Twitter: @jImfotech</div>