DescriptionThe mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-770-1, DSA-3750-1
Debian Bugs849365

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libphp-phpmailer (PTS)stretch5.2.14+dfsg-2.3+deb9u1fixed
stretch (security)5.2.14+dfsg-2.3+deb9u2fixed
bookworm, bullseye, sid6.2.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Fixed by:
Fix potentially incomplete, cf
When updating libphp-phpmailer for CVE-2016-10033 make sure to apply the
complete patch to not make libphp-phpmailer affected by CVE-2016-10045.
Needs followup:
Another followup:

Search for package or bug name: Reporting problems