Mailsystem - Critical - PHP Injection

Project

Mail System

Date

May 07, 2025

Severity

Critical

Risk Score

15 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon

Vulnerability

PHP Injection vulnerability

Affected versions

<=7.x-2.35

Description

Mailsystem 2.x is susceptible to a PHP injection vulnerability. This vulnerability is mitigated by that fact that an attacker would need to have the ability to upload PHP files, i.e. through IMCE.

Sites that do not grant non trusted users the upload PHP files are not effected.

Solution

Install the latest version: 7.x-3.1

mailsystem-7.x-3.1.tar.gz
mailsystem-7.x-3.1.zip

Reported by

diamondsea

Fixed by

Vitor Faria (vitor faria)
Ivo Van Geertruyen (mr.baileys)
Tag1 D7ES

Coordinated by

Tag1 D7ES