The version 5.5 of PHPMailer is part of the newest release and it should be updated! There is a SECURITY issue …
SECURITY Fixes CVE-2020-36326, a regression of CVE-2018-19296 object injection introduced in 6.1.8, see SECURITY.md for details
See Releases · PHPMailer/PHPMailer · GitHub
Thanks for reporting. Kirby 3.5.5 has the latest version of phpMailer.
Sure? I have downloaded 3.5.5 and if I open the file phpmailer.php from /vendor/phpmailer/phpmailer/src/PHPMailer.php … I see in the comments header Version 5.5 (!)
- PHPMailer - PHP email creation and transport class.
- PHP Version 5.5.
Yes, i’m sure. It is not the phpMailer version. This is the lowest php version that phpMailer supports.
Here installed phpMailer version of Kirby:
Ok - I have checked the code base of the current version against the version that comes with Kirby 3.5.5 and you’re right. It’s the newest one. The 5.5 was the PHP version, my mistake. Sorry!
Better once too much reported than too little
I understand your concerns. Please don’t worry, security issues in dependencies are automatically reported. In addition, we always check manually before each new release.
Thank you again for reporting. If you think there is a security issue next time, please follow these steps: