I read about that as well you are right it's a bit concerning

Does any version of concrete5 use PHPMailer?
I just did a very quick search in 5.6 and 5.7 and didn't find it.

Actually no but the issue also affects SwiftMailer which is used by C5 and Zendmailer.

It was fixed already but C5 probably should update.

Here's the article about the vulnerability:https://securityaffairs.co/wordpress/55002/hacking/swiftmailer-phpma...
And here's the article about the fix:https://threatpost.com/phpmailer-swiftmailer-updates-resolve-critica...

Doesn't concrete5 v8.0.3 (the version my site is running) use PHPMailer?

Under Dashboard -> System & Settings -> Email -> SMTP Method, there is an option for "Default PHP Mail Function." I took that to mean PHPMailer, but I could be wrong.

Sorry, I just thought it did and wanted to clarify.

not exactly.
PHPMailer is a library that takes care of "building" the email message you want to send. It takes care of things like setting up the subject, the "to" emails, the "cc" emails, whether it's HTML or plain text... You get the idea.

On the other hand the default PHP "mail" function is simply that: a function called mail() that comes with PHP. That function takes care of actually sending the email.

SO you build the email message with PHPMailer and you send it with the PHP mail() function.

Or at least that's one possibility.

Now Concrete5 doesn't use PHPMailer but it uses another equivalent library called SwiftMailer which was also affected by the same vulnerability and was patched as well.

The core team contacted me back today saying they were on it so I think, if there is a real threat to Concrete5, there'll be something done soon.

Sorry, I got a bit confused between the two. I assumed they were the same thing. Thank you for clearing that up! :)

Also, I'm glad that they are working on it and that I was able to at least try to help.

Yes, the core team can't be everywhere so keeping an eye on things is primordial. Thank you for this.

I just sent the core team's security team an email