GHSA-xjw3-5r5c-m5ph: 
PHP vulnerability analysis and mitigation

A remote code execution vulnerability was discovered in the Swift Mailer library affecting typo3/swiftmailer and neos/swiftmailer packages. The vulnerability was disclosed on January 6th, 2017, and affected all versions before 5.4.5. The issue was assigned CVE-2016-10074 and was considered of Critical severity (Neos Blog).

The vulnerability specifically affects installations using the default mail() transport in the Swift Mailer library. The issue was identified as a Remote Code Execution (RCE) vulnerability, which could potentially allow attackers to execute arbitrary code on affected systems. The vulnerability impacts versions >= 4.1.0, < 4.1.99 and >= 5.4.0, < 5.4.5 of the package (GitHub Advisory).

The vulnerability could potentially allow remote code execution on affected systems when using the default mail() transport. However, systems not using the default mail() transport were not affected by this particular vulnerability (Neos Blog).

The vulnerability was patched in versions 4.1.99 and 5.4.5 of the package. Users were strongly encouraged to update immediately to these versions. For those using typo3/swiftmailer, it was recommended to switch to neos/swiftmailer during the update process. The patch level release contained no breaking changes and could be fetched via composer (Neos Blog).