CMS Made Simple Forums

Hi all,

After an upgrade from 2.2.3.1 to 2.2.16 , the hosting company did send me an email with this message

Below you will find the list of resolved vulnerabilities.
For more information, look in the DirectAdmin of your web hosting package at 'Patchman'.

Code injection vulnerability in PHPMailer.
public_html/lib/phpmailer/class.phpmailer.php

My customer is a little worried. What can I tell him?

Ronald

Some extra info.

DirectAdmin >> Patchman log

[PHPMailer] [CVE-2020-36326 - CVE-2018-19296] Object-injectie
CVE-2020-36326 https://github.com/advisories/GHSA-m298-fh5c-jc66
CVE-2018-19296 https://github.com/advisories/GHSA-7w4p-72j7-v7c2

This is a vulnerability of the type code-injection.

The vulnerabilities of the libraries that make part of CMSMS may affect the whole, part or none of the CMSMS core depending on circumstances. We are almost always notified of them as soon as they are discovered, and have to assess whether these vulnerabilities are exploitable in the CMSMS context or not. Every time a library upgrade is due, we need to test it, see if the latest release is mature enough not to introduce new bugs and unknown vulnerabilities, and if the upgrade itself is the best solution possible vs the version currently being used. In some cases the lib is exposed enough to be a liability and open to be exploited and action is taken immediately to fix it, in other cases the lib is wrapped too deep in the CMSMS core own code that the core itself is responsible for the protections and mitigations needed to prevent the vulnerable code from being exploited.
In the case of PHPMailer, the assessment made at the time was that there was no way that the exploit could be used given that the 3rd party modules used are trusted for using the CMSMS core API to access the PHPMailer lib, i.e. Formbuilder, CGBetterForms, SmartForms, FEU, MAMS, and all of the more popular modules that use the email sending functionality. So there was no urgency in upgrading the lib.
We are now in the process of finalizing an upgrade of CMSMS and most, if not all, its libraries are included. This update is long due, and is imminent, for a number of reasons.
That is to say that, if you don't have any custom code that accesses the PHPmailer library directly, there should be no risk involved. And the update is on its way too, so we are going to close that door at the same time.

Jo Morg, Thank you for your detailed explanation.
I'm sure my customer will be happy after reading your answer.

Hi,

Out of curiosity: When the new version of CMSMS is expected ? I need to start 3 new sites(PHP 8.1) with CMSMS and if possible to go with a newer version

Thanks

We are doing our best to try to release it in the next few weeks. The issue has been that work has been getting in the way, and delaying the development quite a bit. Not committing to it, but I'm really hoping to release in the next couple of weeks.