Security Question: When will phpmailer be updated in MOD 2.7.x?

I’ve just reported this security issue by email.

I noticed today that PHPMailer has had some security updates to address CVE-2018-19296. I can see this information by looking at the github releases page of PHPMailer.

MODX, to my knowledge uses PHPMailer 5.2.26, however, since then:
5.2.27 and 6.0.6 was released in Nov 2018 to address CVE-2018-19296.
The entire 5.2 branch has been deprecated as of 31 Dec 2018.

In the meantime, can you advise if it’s possible to disable PHPMailer 5.2.26 which is bundled with MODX? Is it possible to have MODX use an alternative mail library instead of modMail / PHPMailer 5.2.x?


1 Like

Hi @phatphug, welcome to the Modx community!

Thanks for the information share. This is indeed very important.
Never tried to switch the mailer agent to other than the embedded phpmailer.

I will subscribe this topic to follow all other interactions closely.

Checked modx revolution github and there is no Fault opened for this topic.
Created one:

Hopefully this will raise the visibility of the issue to the devs so we can get a quick fix.

I got the security email this morning, and as I replied to the OP, I am in the process of updating PHPMailer in the 2.x branch.

1 Like

Does using SMTP bypass PHPMailer and the security issue?

No. PHPMailer is the default implementation of modMail that comes with the MODX core and is used anytime you use the modMail API unless you provide a custom implementation.

Thanks for picking this up so quickly. I’ll await your update.