Hi @SteveRoe,
I can see two “high-risk” vulnerabilities listed for PHPMailer 6.2.0, which is distributed with OJS 3.3.0-8:
- CVE-2021-3603 : PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is inje
- CVE-2020-36326 : PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname
I can confirm that neither is exploitable via OJS.
We use Dependabot, which is integrated with Github, to report vulnerabilities in the third-party dependencies we use. When I get a notification of one of these, I assess its applicability to OJS; if there is an attack surface, I make sure the dependency is updated (and schedule a release). So you should be safe to continue hosting with 3.3.0-8 as is, until such time as we flag a security issue on the OJS download page or send a notification out via the PKP security announcement mailing list.
That said, the patch is probably safe to apply.
@kerimsarigul, just a note that PHPMailer is the SMTP implementation that’s included in OJS 3.3.0-8. I think you’re probably referring to PHP’s mail() function, which is known to be unsafe in some circumstances.
Regards,
Alec Smecher
Public Knowledge Project Team