CVE-2020-13625
published 2020-06-08CVE-2020-13625: PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
3.78%
88.6th percentile
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libphp-phpmailer | < libphp-phpmailer 6.1.6-1 (bookworm) | libphp-phpmailer 6.1.6-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| phpmailer | phpmailer | >= 0 < 6.1.6 | 6.1.6 |
| phpmailer_project | phpmailer | < 6.1.6 | 6.1.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libphp-phpmailer vulnerability
osv·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] libphp-phpmailer vulnerability
libphp-phpmailer vulnerability
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yo
OSV
libphp-phpmailer vulnerabilities
osv·2023-03-15·CVSS 9.8
CVE-2016-10033 [CRITICAL] libphp-phpmailer vulnerabilities
libphp-phpmailer vulnerabilities
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when adding attachments to messages,
which could lead to relative im
OSV
libphp-phpmailer vulnerability
osv·2020-09-16·CVSS 7.5
CVE-2020-13625 [HIGH] libphp-phpmailer vulnerability
libphp-phpmailer vulnerability
Elar Lang discovered that PHPMailer did not properly escape double quote
characters in filenames. A remote attacker could possibly exploit this
with a crafted filename to bypass attachment filters that are based on
matching filename extensions. (CVE-2020-13625)
OSV
CVE-2020-13625: PHPMailer before 6
osv·2020-06-08·CVSS 7.5
CVE-2020-13625 [HIGH] CVE-2020-13625: PHPMailer before 6
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
GHSA
Insufficient output escaping of attachment names in PHPMailer
ghsa·2020-05-27·CVSS 7.5
CVE-2020-13625 [HIGH] CWE-116 Insufficient output escaping of attachment names in PHPMailer
Insufficient output escaping of attachment names in PHPMailer
### Impact
CWE-116: Incorrect output escaping.
An attachment added like this (note the double quote within the attachment name, which is entirely valid):
$mail->addAttachment('/tmp/attachment.tmp', 'filename.html";.jpg');
Will result in a message containing these headers:
Content-Type: application/octet-stream; name="filename.html";.jpg"
Content-Disposition: attachment; filename="filename.html";.jpg"
The attachment will be named `filename.html`, and the trailing `";.jpg"` will be ignored. Mail filters that reject `.html` attachments but permit `.jpg` attachments may be fooled by this.
Note that the MIME type itself is obtained automatically from the *source filename* (in this case `attachment.tmp`, which maps to a generic
OSV
Insufficient output escaping of attachment names in PHPMailer
osv·2020-05-27·CVSS 7.5
CVE-2020-13625 [HIGH] Insufficient output escaping of attachment names in PHPMailer
Insufficient output escaping of attachment names in PHPMailer
### Impact
CWE-116: Incorrect output escaping.
An attachment added like this (note the double quote within the attachment name, which is entirely valid):
$mail->addAttachment('/tmp/attachment.tmp', 'filename.html";.jpg');
Will result in a message containing these headers:
Content-Type: application/octet-stream; name="filename.html";.jpg"
Content-Disposition: attachment; filename="filename.html";.jpg"
The attachment will be named `filename.html`, and the trailing `";.jpg"` will be ignored. Mail filters that reject `.html` attachments but permit `.jpg` attachments may be fooled by this.
Note that the MIME type itself is obtained automatically from the *source filename* (in this case `attachment.tmp`, which maps to a generic
Ubuntu
PHPMailer vulnerabilities
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2021-3603 [CRITICAL] PHPMailer vulnerabilities
Title: PHPMailer vulnerabilities
Summary: Several security issues were fixed in PHPMailer.
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when addi
Ubuntu
PHPMailer vulnerability
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] PHPMailer vulnerability
Title: PHPMailer vulnerability
Summary: An incomplete fix was discovered in PHPMailer.
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ub
Ubuntu
PHPMailer vulnerability
vendor_ubuntu·2020-09-16·CVSS 7.5
CVE-2020-13625 [HIGH] PHPMailer vulnerability
Title: PHPMailer vulnerability
Summary: Attachments with specially crafted filenames could bypass filename-based
mail attachment filters.
Elar Lang discovered that PHPMailer did not properly escape double quote
characters in filenames. A remote attacker could possibly exploit this
with a crafted filename to bypass attachment filters that are based on
matching filename extensions. (CVE-2020-13625)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2020-13625: libphp-phpmailer - PHPMailer before 6.1.6 contains an output escaping bug when the name of a file a...
vendor_debian·2020·CVSS 7.5
CVE-2020-13625 [HIGH] CVE-2020-13625: libphp-phpmailer - PHPMailer before 6.1.6 contains an output escaping bug when the name of a file a...
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
Scope: local
bookworm: resolved (fixed in 6.1.6-1)
bullseye: resolved (fixed in 6.1.6-1)
forky: resolved (fixed in 6.1.6-1)
sid: resolved (fixed in 6.1.6-1)
trixie: resolved (fixed in 6.1.6-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted
bugzilla·2020-06-19·CVSS 7.5
CVE-2020-13625 [HIGH] CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted
CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
Upstream Reference:
https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6
Discussion:
Created php-PHPMailer tracking bugs for this issue:
Affects: epel-all [bug 1848843]
Affects: fedora-all [bug 1848842]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted [fedora-all]
bugzilla·2020-06-19·CVSS 7.5
CVE-2020-13625 [HIGH] CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted [fedora-all]
CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
Bugzilla
CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted [epel-all]
bugzilla·2020-06-19·CVSS 7.5
CVE-2020-13625 [HIGH] CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted [epel-all]
CVE-2020-13625 php-PHPMailer: output escaping could result in the file type being misinterpreted [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.htmlhttps://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvjhttps://lists.debian.org/debian-lts-announce/2020/06/msg00014.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFM3BZABL6RUHTVMXSC7OFMP4CKWMRPJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMH4TC5XTS3KZVGMSKEPPBZ2XTZCKKCX/https://usn.ubuntu.com/4505-1/http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.htmlhttps://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvjhttps://lists.debian.org/debian-lts-announce/2020/06/msg00014.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFM3BZABL6RUHTVMXSC7OFMP4CKWMRPJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMH4TC5XTS3KZVGMSKEPPBZ2XTZCKKCX/https://usn.ubuntu.com/4505-1/
2020-06-08
Published