A critical vulnerability has been discovered in PHPmailer, a thirdparty component used by Typesetter CMS.

The current version 5.2.14 which is implemented in Typesetter CMS should be updated IMMEDIATELY to 5.2.21

HowTo:

1. Download PHPmailer's current master ZIP archive from GitHub.
2. Extract the files class.phpmailer.php, class.pop3.php, class.smtp.php and PHPMailerAutoload.php
3. Log on to your Webhost (via FTP/SFTP or your control panel. You need file system access)
4. Overwrite/replace the files in [Typesetter installation root]/include/thirdparty/PHPmailer/ with the new ones.
5. Done.

Links:

• Dawid Golunski on Twitter
• PwnScriptum.com
• PHPmailer on GitHub

Cheers juergen!

Is anyone aware of a list or other way to be notified of security issues which should be addressed in between Typesetter upgrades?

… other way to be notified of security issues which should be addressed in between Typesetter upgrades?

Although we had 2 such cases in 2016, they are fortunaltely very rare with Typesetter.
So, to answer your question, there is yet no official channel for that purpose.

If Josh would add a 'Security' forum chapter, anyone could follw it. Should be considered IMO.

For the time being, you could subscribe to my blog feed on my Typesetter Addons page -> http://typesetter-addons.grafikrausz.at/Blog_Feed
While this blog is meant to announce new addon versions, I do also post security issues there (of course I can only report things I'm aware of).

Hi Juergen,

Thanks for all the info.

Do you know if these files have be added and are now part of the latest full Typesetter 5.0.3 installation zip download?

Thanks,

D.

if these files have be added and are now part of the latest full Typesetter 5.0.3 installation zip download?

No. Thomas issued a pull request on GitHub but it has not been merged yet.
You will have to fix every new installation manually until Typesetter 5.0.4 (or whatever version) will be released.

Thanks for bringing this up!  I got a security message from Gentoo (the linux distro I use) about this vulnerability, but I didn't realize phpmailer is part of Typesetter.  Worth noting as well is that at least one Typesetter addon "Special Contact Form" also includes phpmailer.

It would be a good idea for anyone to search for these four files on their webserver, if running multiple sites, multiple software, etc.