CVE-2024-53860

CVSS 3.1 Score 8.6 of 10 (high)

Details

Published Nov 27, 2024
CWE ID 74

Summary

CVE-2024-53860 affects the sp-php-email-handler PHP package, which is used for handling contact form submissions. The vulnerability allows attackers to specify arbitrary email recipients and include user-provided content in confirmation emails. This could result in the server being used to send spam, phishing emails, or other malicious content, potentially damaging the domain's reputation and leading to email provider blacklisting. Version 1.0.0 of the package has addressed this issue by removing user-provided content from confirmation emails. Pre-release versions (alpha and beta) are vulnerable and should not be used. There are currently no workarounds, and users must upgrade to version 1.0.0 to mitigate the vulnerability.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share