Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately.

PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.

PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from unfiltered user input, relative paths can map to absolute local file paths and added as attachments. Also note that `addAttachment` (just like `file_get_contents`, `passthru`, `unlink`, etc) should not be passed user-sourced params either! Reported by Yongxiang Li of Asiasecurity.

PHPMailer versions prior to 5.2.20 (released December 28th 2016) are vulnerable to [CVE-2016-10045](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10045) a remote code execution vulnerability, responsibly reported by [Dawid Golunski](https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html), and patched by Paul Buonopane (@Zenexer).

PHPMailer versions prior to 5.2.18 (released December 2016) are vulnerable to [CVE-2016-10033](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10033) a remote code execution vulnerability, responsibly reported by [Dawid Golunski](http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html).

PHPMailer versions prior to 5.2.14 (released November 2015) are vulnerable to [CVE-2015-8476](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8476) an SMTP CRLF injection bug permitting arbitrary message sending.

PHPMailer versions prior to 5.2.10 (released May 2015) are vulnerable to [CVE-2008-5619](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5619), a remote code execution vulnerability in the bundled html2text library. This file was removed in 5.2.10, so if you are using a version prior to that and make use of the html2text function, it's vitally important that you upgrade and remove this file.

PHPMailer versions prior to 2.0.7 and 2.2.1 are vulnerable to [CVE-2012-0796](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0796), an email header injection attack.

Joomla 1.6.0 uses PHPMailer in an unsafe way, allowing it to reveal local file paths, reported in [CVE-2011-3747](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3747).

PHPMailer didn't sanitise the `$lang_path` parameter in `SetLanguage`. This wasn't a problem in itself, but some apps (PHPClassifieds, ATutor) also failed to sanitise user-provided parameters passed to it, permitting semi-arbitrary local file inclusion, reported in [CVE-2010-4914](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4914), [CVE-2007-2021](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2021) and [CVE-2006-5734](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5734).

PHPMailer 1.7.2 and earlier contained a possible DDoS vulnerability reported in [CVE-2005-1807](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1807).

PHPMailer 1.7 and earlier (June 2003) have a possible vulnerability in the `SendmailSend` method where shell commands may not be sanitised. Reported in [CVE-2007-3215](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3215).

6.0.3

{

"autoload": {

"psr-4": {

"Acme\\": "src/"

}

},

"require": {

"phpmailer/phpmailer": "^6.0"

}

}

use PHPMailer\PHPMailer\PHPMailer;

use PHPMailer\PHPMailer\Exception;

require 'vendor/autoload.php';

$email_id = $_POST['email'] ;

$mail = new PHPMailer(true); // Passing `true` enables exceptions

try {

//Server settings

$mail->SMTPDebug = 2; // Enable verbose debug output

$mail->isSMTP(); // Set mailer to use SMTP

$mail->Host = 'smtp.gmail.com'; // Specify main and backup SMTP servers

$mail->SMTPAuth = true; // Enable SMTP authentication

$mail->Username = 'college.study.notes@gmail.com'; // SMTP username

$mail->Password = 'noteswalaemail'; // SMTP password

//$mail->SMTPSecure = 'tls'; // Enable TLS encryption, `ssl` also accepted

$mail->Port = 25; // TCP port to connect to

//Recipients

$mail->setFrom('college.study.notes@gmail.com', 'Mailer');

$mail->addAddress($email_id, 'Joe User'); // Add a recipient

$mail->addAddress('kiodeba11@gmail.com'); // Name is optional

//$mail->addReplyTo('info@example.com', 'Information');

//$mail->addCC('cc@example.com');

//$mail->addBCC('bcc@example.com');

//Attachments

//$mail->addAttachment('/var/tmp/file.tar.gz'); // Add attachments

//$mail->addAttachment('/tmp/image.jpg', 'new.jpg'); // Optional name

//Content

$mail->isHTML(true); // Set email format to HTML

$mail->Subject = 'Thank You for Contacting us';

$mail->Body = 'Thanks a ton for sending us a message. We were quite lonely here :D .';

$mail->AltBody = 'Thanks a ton for sending us a message. We were quite lonely here :D .';

$mail->send();

echo 'Message has been sent';

} catch (Exception $e) {

echo 'Message could not be sent. Mailer Error: ', $mail->ErrorInfo;

}

namespace PHPMailer\PHPMailer;

use League\OAuth2\Client\Provider\Google;

use Hayageek\OAuth2\Client\Provider\Yahoo;

use Stevenmaguire\OAuth2\Client\Provider\Microsoft;

if (!isset($_GET['code']) && !isset($_GET['provider'])) {

<html>

<body>Select Provider:<br/>

<a href='?provider=Google'>Google</a><br/>

<a href='?provider=Yahoo'>Yahoo</a><br/>

<a href='?provider=Microsoft'>Microsoft/Outlook/Hotmail/Live/Office365</a><br/>

</body>

</html>

exit;

}

require 'vendor/autoload.php';

session_start();

$providerName = '';

if (array_key_exists('provider', $_GET)) {

$providerName = $_GET['provider'];

$_SESSION['provider'] = $providerName;

} elseif (array_key_exists('provider', $_SESSION)) {

$providerName = $_SESSION['provider'];

}

if (!in_array($providerName, ['Google', 'Microsoft', 'Yahoo'])) {

exit('Only Google, Microsoft and Yahoo OAuth2 providers are currently supported in this script.');

}

$clientId = 'RANDOMCHARS-----duv1n2.apps.googleusercontent.com';

$clientSecret = 'RANDOMCHARS-----lGyjPcRtvP';

$redirectUri = (isset($_SERVER['HTTPS']) ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];

$params = [

'clientId' => $clientId,

'clientSecret' => $clientSecret,

'redirectUri' => $redirectUri,

'accessType' => 'offline'

];

$options = [];

$provider = null;

switch ($providerName) {

case 'Google':

$provider = new Google($params);

$options = [

'scope' => [

'https://mail.google.com/'

]

];

break;

case 'Yahoo':

$provider = new Yahoo($params);

break;

case 'Microsoft':

$provider = new Microsoft($params);

$options = [

'scope' => [

'wl.imap',

'wl.offline_access'

]

];

break;

}

if (null === $provider) {

exit('Provider missing');

}

if (!isset($_GET['code'])) {

// If we don't have an authorization code then get one

$authUrl = $provider->getAuthorizationUrl($options);

$_SESSION['oauth2state'] = $provider->getState();

header('Location: ' . $authUrl);

exit;

} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {

unset($_SESSION['oauth2state']);

unset($_SESSION['provider']);

exit('Invalid state');

} else {

unset($_SESSION['provider']);

// Try to get an access token (using the authorization code grant)

$token = $provider->getAccessToken(

'authorization_code',

[

'code' => $_GET['code']

]

);

// Use this to interact with an API on the users behalf

// Use this to get a new access token if the old one expires

echo 'Refresh Token: ', $token->getRefreshToken();

}

<form class="work-request" action="contact-us.php" method="POST">

<input id="opt-1" value="app design" type="checkbox" name="job">

<input id="opt-2" value="graphic design" type="checkbox" name="job">

<input id="opt-3" value="motion design" type="checkbox" name="job">

<input id="opt-4" value="ux design" type="checkbox" name="job">

<input id="opt-5" value="webdesign" type="checkbox" name="job">

<input id="opt-6" value="marketing" type="checkbox" name="job">

<input id="name" spellcheck="false" type="text" name="name">

<input id="email" spellcheck="false" type="email" name="email">