PHPMailer Security Advisory
Exploit type: Remote Code Execution in third-party PHPMailer library
CVE Numbers: CVE-2016-10033 and CVE-2016-10045
All versions of the third-party PHPMailer library which is distributed with IXXO Cart are vulnerable to a remote code execution vulnerability.
This is patched in PHPMailer 5.2.20. At this time we do not believe the deficiency in PHPMailer is exposed in IXXO Cart due to our own validation of user input. Furthermore, the vulnerability requires being able to pass user input unfiltered to a message's "from" address, which in IXXO Cart is only defined within the admin configuration and only accessible to a trusted admin user.
Irrespective of the known protections in the IXXO Cart product, this CVE represents a serious issue for PHPMailer. Therefore to mitigate any undiscovered risk or risk to 3rd party extensions using PHPMailer directly, we are releasing updates for all versions of IXXO Cart in active and long term support to provide the latest PHPMailer library version 5.2.21.
No action required for IXXO Cart users that are using the latest version.
The updated library is included in the new version and additional mechanisms exist in IXXO Cart core to prevent triggering the vulnerability.
All IXXO Cart users are advised to upgrade their installations to the latest version of IXXO Cart (220.127.116.11) or newer ASAP.
Upgrade to the latest version of IXXO Cart (18.104.22.168)