Errata overview
Errata ID 554
Date 2018-11-28
Source package libphp-phpmailer
Fixed in version 5.2.9+dfsg-2+deb8u4
This update addresses the following issues:
* An issue was discovered in PHPMailer's msgHTML method applies
  transformations to an HTML document to make it usable as an email message
  body. One of the transformations is to convert relative image URLs into
  attachments using a script-provided base directory. If no base directory is
  provided, it resolves to /, meaning that relative image URLs get treated as
  absolute local file paths and added as attachments. To form a remote
  vulnerability, the msgHTML method must be called, passed an unfiltered,
  user-supplied HTML document, and must not set a base directory.
* PHPMailer is vulnerable to an object injection attack. (CVE-2018-19296)
Additional notes
CVE ID CVE-2017-5223
UCS Bug number #48209