I think...phpmailer 5.5 should be get an update ASAP

7pdf · May 14, 2021, 6:22pm

The version 5.5 of PHPMailer is part of the newest release and it should be updated! There is a SECURITY issue …

SECURITY Fixes CVE-2020-36326, a regression of CVE-2018-19296 object injection introduced in 6.1.8, see SECURITY.md for details

See Releases · PHPMailer/PHPMailer · GitHub

…for details.

ahmetbora · May 14, 2021, 6:47pm

Thanks for reporting. Kirby 3.5.5 has the latest version of phpMailer.

7pdf · May 14, 2021, 7:01pm

Sure? I have downloaded 3.5.5 and if I open the file phpmailer.php from /vendor/phpmailer/phpmailer/src/PHPMailer.php … I see in the comments header Version 5.5 (!)

…
/**

PHPMailer - PHP email creation and transport class.
PHP Version 5.5.
…

ahmetbora · May 14, 2021, 7:08pm

Yes, i’m sure. It is not the phpMailer version. This is the lowest php version that phpMailer supports.

Here installed phpMailer version of Kirby:

github.com

getkirby/kirby/blob/3.5.5/composer.json#L30

    
      
          "require": {
            "php": ">=7.3.0 <8.1.0",
            "ext-ctype": "*",
            "ext-mbstring": "*",
            "claviska/simpleimage": "3.6.3",
            "filp/whoops": "2.12.1",
            "getkirby/composer-installer": "^1.2.0",
            "laminas/laminas-escaper": "2.7.0",
            "michelf/php-smartypants": "1.8.1",
            "mustangostang/spyc": "0.6.3",
            "phpmailer/phpmailer": "6.4.1",
            "true/punycode": "2.1.1"
          },
          "config": {
            "optimize-autoloader": true,
            "platform-check": false
          },
          "autoload": {
            "psr-4": {
              "Kirby\\": "src/"
            },

7pdf · May 14, 2021, 7:08pm

Ok - I have checked the code base of the current version against the version that comes with Kirby 3.5.5 and you’re right. It’s the newest one. The 5.5 was the PHP version, my mistake. Sorry!

7pdf · May 14, 2021, 7:09pm

Better once too much reported than too little

ahmetbora · May 14, 2021, 7:14pm

I understand your concerns. Please don’t worry, security issues in dependencies are automatically reported. In addition, we always check manually before each new release.

Thank you again for reporting. If you think there is a security issue next time, please follow these steps: