CVE-2020-13625

NameCVE-2020-13625
DescriptionPHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2244-1, DLA-2306-1
Debian Bugs962827

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libphp-phpmailer (PTS)jessie, jessie (lts)5.2.9+dfsg-2+deb8u6fixed
stretch (security), stretch (lts), stretch5.2.14+dfsg-2.3+deb9u2fixed
buster6.0.6-0.1vulnerable
bullseye6.2.0-2fixed
bookworm6.6.3-1fixed
sid, trixie6.9.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libphp-phpmailersourcejessie5.2.9+dfsg-2+deb8u6DLA-2244-1
libphp-phpmailersourcestretch5.2.14+dfsg-2.3+deb9u2DLA-2306-1
libphp-phpmailersource(unstable)6.1.6-1962827

Notes

[buster] - libphp-phpmailer <no-dsa> (Minor issue)
https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj
https://github.com/PHPMailer/PHPMailer/commit/c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3

Search for package or bug name: Reporting problems