CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#11914] Bundled versions of smarty and PHPMailer contain security vulnerabilities

avatar
Created By: Michael Orlitzky (orlitzky)
Date Submitted: Sun Oct 21 19:15:04 -0400 2018

Assigned To:
Version: 2.2.8
CMSMS Version: 2.2.8
Severity: Minor
Resolution: Fixed
State: Open
Summary:
Bundled versions of smarty and PHPMailer contain security vulnerabilities
Detailed Description:
By looking in

  (a) public/lib/smarty/Smarty.class.php
  (b) public/lib/phpmailer/VERSION

I see that CMSMS comes bundled with v3.1.31 of smarty and v5.2.22 of PHPMailer.
These both contain security vulnerabilities that have been fixed in newer
versions:

  https://github.com/PHPMailer/PHPMailer/blob/5.2-stable/SECURITY.md
  https://github.com/smarty-php/smarty/blob/master/change_log.txt

(Upgrading to the 6.x branch of PHPMailer is probably a better idea in the long
run.)


History

Comments
avatar
Date: 2018-10-22 17:31
Posted By: Robert Campbell (calguy1000)

Though CMSMS uses these versions of the software it is not directly subject to
these vulnerabilities.

a:  CMSMS does not set the smarty security policie's trusted_dirs member. 
Therefore we are not directly susceptible to that vulnerability.
b:  CMSMS does not at any time set the SMTP debugging level for PHPMailer.

Though it is possible that third party code could enable these exploits, it is
not in CMSMS itself.

So... though I will upgrade PHPMailer and Smarty (again) for CMSMS 2.3 I do not
think that this warrants another release of the 2.2.x series.

I also changed the severity to minor because this does not directly, or easily
effect CMSMS.
      
avatar
Date: 2018-10-22 17:55
Posted By: Robert Campbell (calguy1000)

Versions of smarty and PHPMailer have been upgraded for CMSMS 2.3
      
Updates

Updated: 2018-10-22 17:55
resolution_id: 6 => 7

Updated: 2018-10-22 17:31
resolution_id: => 6
severity_id: 1 => 3