Description

This script is possibly vulnerable to Email injection attacks.

Email injection is a security vulnerability that allows malicious users to send email messages using someone else's server without prior authorization. A malicious spammer could use this tactic to send large numbers of messages anonymously.

Remediation

You need to restrict CR(0x13) and LF(0x10) from the user input. Check references for more information about fixing this vulnerability.

References

PHP mail() Header Injection Through Subject and To Parameters

Related Vulnerabilities

MySQL Improper Input Validation Vulnerability (CVE-2012-5614)

OpenSSL Improper Input Validation Vulnerability (CVE-2014-3513)

Joomla Improper Input Validation Vulnerability (CVE-2016-8869)

Drupal Core 9.2.x Security Bypass (9.2.0 - 9.2.15)

Plone CMS Improper Input Validation Vulnerability (CVE-2013-4197)

Severity

High

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality