[pkg-php-pear] Bug#962827: libphp-phpmailer: CVE-2020-13625

Salvatore Bonaccorso carnil at debian.org
Sun Jun 14 20:23:30 BST 2020

Source: libphp-phpmailer
Version: 6.1.5-0.1
Severity: grave
Tags: security upstream
Control: found -1 6.0.6-0.1
Control: found -1 5.2.14+dfsg-2.3+deb9u1
Control: found -1 5.2.14+dfsg-2.3


The following vulnerability was published for libphp-phpmailer.

Filling as RC severity as currently as libphp-phpmailer seems
currently without maintainer. Bullseye should ideally be released with
an active maintainer for libphp-phpmailer.

| PHPMailer before 6.1.6 contains an output escaping bug when the name
| of a file attachment contains a double quote character. This can
| result in the file type being misinterpreted by the receiver or any
| mail relay processing the message.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-13625
[1] https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj
[2] https://github.com/PHPMailer/PHPMailer/commit/c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3


More information about the pkg-php-pear mailing list