SCA: security update for spencer14420/sp-php-email-handler (GHSA-mj5r-x73q-fjw6)

high Tenable Self-Hosted Container Security Plugin ID 416991

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- sp-php-email-handler is a PHP package for handling contact form submissions. Messages sent using this
script are vulnerable to abuse, as the script allows anybody to specify arbitrary email recipients and
include user-provided content in confirmation emails. This could enable malicious actors to use your
server to send spam, phishing emails, or other malicious content, potentially damaging your domain's
reputation and leading to blacklisting by email providers. Patched in version 1.0.0 by removing user-
provided content from confirmation emails. All pre-release versions (alpha and beta) are vulnerable to
this issue and should not be used. There are no workarounds for this issue. Users must upgrade to version
1.0.0 to mitigate the vulnerability. (CVE-2024-53860)

See Also

https://github.com/advisories/GHSA-mj5r-x73q-fjw6

Plugin Details

Severity: High

ID: 416991

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.01

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2024-53860

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/27/2024

Vulnerability Publication Date: 11/27/2024

Reference Information

CVE: CVE-2024-53860

cwe: CWE-74