Hi,
After my recent installation of OJS 3.3.0-13, I have been getting this security warning from one of my cybersecurity tools;
File Name: lib/pkp/lib/vendor/phpmailer/phpmailer/src/PHPMailer.php
Type: Code Injection
Description: CVE-2020-36326 - An external file could be unexpectedly executable if it was used as a path to an attachment file via PHP’s support for .phar files`. Exploitation requires that an attacker was able to provide an unfiltered path to a file to attach. CVE-2018-19296 - Was vulnerable to an object injection attack by passing phar:// paths into addAttachment() and other functions that could receive unfiltered local paths, possibly lead to RCE.
This information is explicitly on the basis of the code in this file and not generalized to all PHPMailer versions.
Could you please share if this is a real threat and if/if not how can it be patched.
Best Regards,
Jaimin