7.5

CVE-2020-13625

Exploit
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Phpmailer ProjectPhpmailer Version < 6.1.6
FedoraprojectFedora Version31
FedoraprojectFedora Version32
CanonicalUbuntu Linux Version18.04 SwEditionlts
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.78% 0.886
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
Broken Link
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
Broken Link
https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6
Third Party Advisory
Release Notes
https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj
Patch
Third Party Advisory
Exploit
https://lists.debian.org/debian-lts-announce/2020/06/msg00014.html
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2020/08/msg00004.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFM3BZABL6RUHTVMXSC7OFMP4CKWMRPJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMH4TC5XTS3KZVGMSKEPPBZ2XTZCKKCX/
https://usn.ubuntu.com/4505-1/
Third Party Advisory