DescriptionThe mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted From address.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-770-1, DSA-3750-1
NVD severitymedium (attack range: remote)
Debian Bugs849365

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libphp-phpmailer (PTS)wheezy5.1-1.1vulnerable
wheezy (security)5.1-1.3fixed
jessie (security), jessie5.2.9+dfsg-2+deb8u3fixed
stretch, sid5.2.14+dfsg-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Fixed by:
Fix potentially incomplete, cf
When updating libphp-phpmailer for CVE-2016-10033 make sure to apply the
complete patch to not make libphp-phpmailer affected by CVE-2016-10045.
Needs followup:
Another followup:

Search for package or bug name: Reporting problems