CVE-2009-4023
php-mail - insufficient input sanitising
EPSS 3.1%
Description
Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111.
How to fix CVE-2009-4023
To remediate CVE-2009-4023, upgrade the affected package to a fixed version below.
- Debian/php-mail—upgrade to 1.1.14-2 or later
- Debian/php-mail—upgrade to 1.1.6-2+etch1 or later
Is CVE-2009-4023 being exploited?
Low — EPSS is 3.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.1.14-2
- from 0, < 1.1.6-2+etch1