CVE-2020-13625

Exploit

EPSS 2.74%
Published 08.06.2020 17:15:10
Last modified 21.11.2024 05:01:37
Source cve@mitre.org
Teams watchlist Login
Open Login

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

Affected products Warnungen 0 Metrics 3 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

Phpmailer Project ≫ Phpmailer Version < 6.1.6

Fedoraproject ≫ Fedora Version31

Fedoraproject ≫ Fedora Version32

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.74%	0.855

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html

Broken Link

https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6

Third Party Advisory

Release Notes

https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj

Patch

Third Party Advisory

Exploit

https://lists.debian.org/debian-lts-announce/2020/06/msg00014.html