Fedora 39: FEDORA-2023-f9877b5292 Critical: Php-PhpMailer6 XSS Risk

PHPMailer - A full-featured email creation and transfer class for PHP

Class Features

* Probably the world's most popular code for sending email from PHP!

* Used by many open-source projects:

WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more

* Integrated SMTP support - send without a local mail server

* Send emails with multiple To, CC, BCC and Reply-to addresses

* Multipart/alternative emails for mail clients that do not read HTML email

* Add attachments, including inline

* Support for UTF-8 content and 8bit, base64, binary, and quoted-printable

encodings

* SMTP authentication with LOGIN, PLAIN, CRAM-MD5 and XOAUTH2 mechanisms

over SSL and SMTP+STARTTLS transports

* Validates email addresses automatically

* Protect against header injection attacks

* Error messages in 47 languages!

* DKIM and S/MIME signing support

* Compatible with PHP 5.5 and later

* Namespaced to prevent name clashes

* Much more!

Autoloader: /usr/share/php/PHPMailer/PHPMailer6/autoload.php

Minor security note * The DSN support added in 6.8.0 reflects the DSN back to the user in an error message if it is invalid. If a DSN uses user-supplied input (a very bad idea), it opens a distant possibility of XSS if the host app does not escape output. In an abundance of caution, malformed DSNs are no longer reflected in error messages. Changes * Don't reflect malformed DSNs in error messages to avert any risk of XSS * Improve Simplified Chinese, Sinhalese, and Norwegian translations * Don't use setAccessible in PHP >= 8.1 in tests * Avoid a deprecation notice in PHP 8.3 * Fix link in readme