CVE-2020-13625Improper Encoding or Escaping of Output in Project Phpmailer

CWE-116Improper Encoding or Escaping of Output15 documents7 sources
Severity
7.5HIGHNVD
OSV9.8
EPSS
4.5%
top 10.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Phpmailer Project PhpmailerPhpmailerCanonical Ubuntu Linux+2 more
Timeline
PublishedJun 8
Latest updateMar 15

Description

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Packagistphpmailer/phpmailer< 6.1.6

Also affects: Debian Linux 8.0, 9.0, Fedora 31, 32, Ubuntu Linux 18.04

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

7
OSV
libphp-phpmailer vulnerability2023-03-15
OSV
libphp-phpmailer vulnerabilities2023-03-15
OSV
libphp-phpmailer vulnerability2020-09-16
CVEList
CVE-2020-13625: PHPMailer before 62020-06-08
OSV
CVE-2020-13625: PHPMailer before 62020-06-08

📋Vendor Advisories

4
Ubuntu
PHPMailer vulnerabilities2023-03-15
Ubuntu
PHPMailer vulnerability2023-03-15
Ubuntu
PHPMailer vulnerability2020-09-16
Debian
CVE-2020-13625: libphp-phpmailer - PHPMailer before 6.1.6 contains an output escaping bug when the name of a file a...2020

💬Community

3
Bugzilla
CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted2020-06-19
Bugzilla
CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted [fedora-all]2020-06-19
Bugzilla
CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted [epel-all]2020-06-19
CVE-2020-13625 — Project Phpmailer vulnerability | cvebase