PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5956-1 advisory.

    Dawid Golunski discovered that PHPMailer was not properly escaping user input data used as arguments to     functions executed by the system shell. An attacker could possibly use this issue to execute arbitrary     code. This issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)

    It was discovered that PHPMailer was not properly escaping characters in certain fields of the     code_generator.php example code. An attacker could possibly use this issue to conduct cross-site scripting     (XSS) attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2017-11503)

    Yongxiang Li discovered that PHPMailer was not properly converting relative paths provided as user input     when adding attachments to messages, which could lead to relative image URLs being treated as absolute     local file paths and added as attachments. An attacker could possibly use this issue to access     unauthorized resources and expose sensitive information. This issue only affected Ubuntu 16.04 ESM.
    (CVE-2017-5223)

    Sehun Oh discovered that PHPMailer was not properly processing untrusted non-local file attachments, which     could lead to an object injection. An attacker could possibly use this issue to execute arbitrary code.
    This issue only affected Ubuntu 16.04 ESM. (CVE-2018-19296)

    Elar Lang discovered that PHPMailer was not properly escaping file attachment names, which could lead to a     misinterpretation of file types by entities processing the message. An attacker could possibly use this     issue to bypass attachment filters. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 20.04 ESM.
    (CVE-2020-13625)

    It was discovered that PHPMailer was not properly handling callables in its validateAddress function,     which could result in untrusted code being called should the global namespace contain a function called     'php'. An attacker could possibly use this issue to execute arbitrary code. This issue was only fixed in     Ubuntu 20.04 ESM and Ubuntu 22.04 ESM. (CVE-2021-3603)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-4505-1 advisory.

    Elar Lang discovered that PHPMailer did not properly escape double quote characters in filenames. A remote     attacker could possibly exploit this with a crafted filename to bypass attachment filters that are based     on matching filename extensions. (CVE-2020-13625)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that there was an escaping issue in libphp-phpmailer, an email generation utility class for the PHP programming language.

The `Content-Type` and `Content-Disposition` headers could have permitted file attachments that bypassed attachment filters which match on filename extensions.

For Debian 9 stretch, this problem has been fixed in version 5.2.14+dfsg-2.3+deb9u2.

We recommend that you upgrade your libphp-phpmailer packages.

For the detailed security status of libphp-phpmailer please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libphp-phpmailer

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Cacti developers reports :

Multiple fixes for bundled jQuery to prevent code exec (CVE-2020-11022, CVE-2020-11023).

PHPMail contains a escaping bug (CVE-2020-13625).

SQL Injection via color.php in Cacti (CVE-2020-14295).

This update for cacti, cacti-spine fixes the following issues :

  - cacti 1.2.13 :

  - Query XSS vulnerabilities require vendor package update     (CVE-2020-11022 / CVE-2020-11023)

  - Lack of escaping on some pages can lead to XSS exposure

  - Update PHPMailer to 6.1.6 (CVE-2020-13625)

  - SQL Injection vulnerability due to input validation     failure when editing colors (CVE-2020-14295,     boo#1173090)

  - Lack of escaping on template import can lead to XSS     exposure

  - switch from cron to systemd timers (boo#1115436) :

  + cacti-cron.timer

  + cacti-cron.service

  - avoid potential root escalation on systems with     fs.protected_hardlinks=0 (boo#1154087): handle directory     permissions in file section instead of using chown     during post installation

  - rewrote apache configuration to get rid of .htaccess     files and explicitely disable directory permissions per     default (only allow a limited, well-known set of     directories)

Fix CVE-2020-13625 vulnerability.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that there was an escaping issue in libphp-phpmailer, an email generation utility class for the PHP programming language.

The `Content-Type` and `Content-Disposition` headers could have permitted file attachments that bypassed attachment filters which match on filename extensions. For more information, please see the following URL :

https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-f qxw-rvvj

For Debian 8 'Jessie', this issue has been fixed in libphp-phpmailer version 5.2.9+dfsg-2+deb8u6.

We recommend that you upgrade your libphp-phpmailer packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is a security release, with some other minor changes. For full details, refer to the [advisory](https://github.com/PHPMailer/PHPMailer/security/advisories/ GHSA-f7hx-fqxw-rvvj).

  - **SECURITY** Fix insufficient output escaping bug in     file attachment names. **CVE-2020-13625**. Reported by     Elar Lang of Clarified Security.

  - Correct Armenian ISO language code from am to hy, add     mapping for fallback

  - Use correct timeout property in debug output

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
172589	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : PHPMailer vulnerabilities (USN-5956-1)	Nessus	Ubuntu Local Security Checks	critical
140639	Ubuntu 18.04 LTS : PHPMailer vulnerability (USN-4505-1)	Nessus	Ubuntu Local Security Checks	high
139249	Debian DLA-2306-1 : libphp-phpmailer security update	Nessus	Debian Local Security Checks	high
139112	FreeBSD : Cacti -- multiple vulnerabilities (cd2dc126-cfe4-11ea-9172-4c72b94353b5)	Nessus	FreeBSD Local Security Checks	high
138985	openSUSE Security Update : cacti / cacti-spine (openSUSE-2020-1060)	Nessus	SuSE Local Security Checks	high
137923	Fedora 31 : php-PHPMailer (2020-0bbe6304e3)	Nessus	Fedora Local Security Checks	high
137922	Fedora 32 : php-PHPMailer (2020-06e87e71fe)	Nessus	Fedora Local Security Checks	high
137371	Debian DLA-2244-1 : libphp-phpmailer security update	Nessus	Debian Local Security Checks	high
137213	Fedora 32 : php-phpmailer6 (2020-d67df93aa6)	Nessus	Fedora Local Security Checks	high
137212	Fedora 31 : php-phpmailer6 (2020-6d2e1105f2)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2020-13625

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high