CVE-2024-53860: SPEmailHandler-PHP has Potential Abuse for Sending Arbitrary Emails

November 27, 2024 (updated December 2, 2024)

Messages sent using this script are vulnerable to abuse, as the script allows anybody to specify arbitrary email recipients and include user-provided content in confirmation emails. This could enable malicious actors to use your server to send spam, phishing emails, or other malicious content, potentially damaging your domain’s reputation and leading to email providers disallowing your domains.

References

github.com/Spencer14420/SPEmailHandler-PHP
github.com/Spencer14420/SPEmailHandler-PHP/commit/6f00dd0d44ff27889aed2980a5ba06e60d83549d
github.com/Spencer14420/SPEmailHandler-PHP/security/advisories/GHSA-mj5r-x73q-fjw6
github.com/advisories/GHSA-mj5r-x73q-fjw6
nvd.nist.gov/vuln/detail/CVE-2024-53860

Detect and mitigate CVE-2024-53860 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →