PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5956-1 advisory.

  - The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to     pass extra parameters to the mail command and consequently execute arbitrary code via a \ (backslash     double quote) in a crafted Sender property. (CVE-2016-10033)

  - The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to     the mail command and consequently execute arbitrary code by leveraging improper interaction between the     escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this     vulnerability exists because of an incorrect fix for CVE-2016-10033. (CVE-2016-10045)

  - PHPMailer 5.2.23 has XSS in the From Email Address and To Email Address fields of code_generator.php.
    (CVE-2017-11503)

  - An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to     an HTML document to make it usable as an email message body. One of the transformations is to convert     relative image URLs into attachments using a script-provided base directory. If no base directory is     provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and     added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an     unfiltered, user-supplied HTML document, and must not set a base directory. (CVE-2017-5223)

  - PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. (CVE-2018-19296)

  - PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a     double quote character. This can result in the file type being misinterpreted by the receiver or any mail     relay processing the message. (CVE-2020-13625)

  - PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if     such code is injected into the host project's scope by other means). If the $patternselect parameter to     validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global     namespace contains a function called php, it will be called in preference to the built-in validator of the     same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
    (CVE-2021-3603)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-4505-1 advisory.

  - PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a     double quote character. This can result in the file type being misinterpreted by the receiver or any mail     relay processing the message. (CVE-2020-13625)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that there was an escaping issue in libphp-phpmailer, an email generation utility class for the PHP programming language.

The `Content-Type` and `Content-Disposition` headers could have permitted file attachments that bypassed attachment filters which match on filename extensions.

For Debian 9 stretch, this problem has been fixed in version 5.2.14+dfsg-2.3+deb9u2.

We recommend that you upgrade your libphp-phpmailer packages.

For the detailed security status of libphp-phpmailer please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libphp-phpmailer

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Cacti developers reports :

Multiple fixes for bundled jQuery to prevent code exec (CVE-2020-11022, CVE-2020-11023).

PHPMail contains a escaping bug (CVE-2020-13625).

SQL Injection via color.php in Cacti (CVE-2020-14295).

This update for cacti, cacti-spine fixes the following issues :

  - cacti 1.2.13 :

  - Query XSS vulnerabilities require vendor package update     (CVE-2020-11022 / CVE-2020-11023)

  - Lack of escaping on some pages can lead to XSS exposure

  - Update PHPMailer to 6.1.6 (CVE-2020-13625)

  - SQL Injection vulnerability due to input validation     failure when editing colors (CVE-2020-14295,     boo#1173090)

  - Lack of escaping on template import can lead to XSS     exposure

  - switch from cron to systemd timers (boo#1115436) :

  + cacti-cron.timer

  + cacti-cron.service

  - avoid potential root escalation on systems with     fs.protected_hardlinks=0 (boo#1154087): handle directory     permissions in file section instead of using chown     during post installation

  - rewrote apache configuration to get rid of .htaccess     files and explicitely disable directory permissions per     default (only allow a limited, well-known set of     directories)

Fix CVE-2020-13625 vulnerability.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that there was an escaping issue in libphp-phpmailer, an email generation utility class for the PHP programming language.

The `Content-Type` and `Content-Disposition` headers could have permitted file attachments that bypassed attachment filters which match on filename extensions. For more information, please see the following URL :

https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-f qxw-rvvj

For Debian 8 'Jessie', this issue has been fixed in libphp-phpmailer version 5.2.9+dfsg-2+deb8u6.

We recommend that you upgrade your libphp-phpmailer packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is a security release, with some other minor changes. For full details, refer to the [advisory](https://github.com/PHPMailer/PHPMailer/security/advisories/ GHSA-f7hx-fqxw-rvvj).

  - **SECURITY** Fix insufficient output escaping bug in     file attachment names. **CVE-2020-13625**. Reported by     Elar Lang of Clarified Security.

  - Correct Armenian ISO language code from am to hy, add     mapping for fallback

  - Use correct timeout property in debug output

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
172589	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : PHPMailer vulnerabilities (USN-5956-1)	Nessus	Ubuntu Local Security Checks	critical
140639	Ubuntu 18.04 LTS : PHPMailer vulnerability (USN-4505-1)	Nessus	Ubuntu Local Security Checks	high
139249	Debian DLA-2306-1 : libphp-phpmailer security update	Nessus	Debian Local Security Checks	high
139112	FreeBSD : Cacti -- multiple vulnerabilities (cd2dc126-cfe4-11ea-9172-4c72b94353b5)	Nessus	FreeBSD Local Security Checks	high
138985	openSUSE Security Update : cacti / cacti-spine (openSUSE-2020-1060)	Nessus	SuSE Local Security Checks	high
137923	Fedora 31 : php-PHPMailer (2020-0bbe6304e3)	Nessus	Fedora Local Security Checks	high
137922	Fedora 32 : php-PHPMailer (2020-06e87e71fe)	Nessus	Fedora Local Security Checks	high
137371	Debian DLA-2244-1 : libphp-phpmailer security update	Nessus	Debian Local Security Checks	high
137213	Fedora 32 : php-phpmailer6 (2020-d67df93aa6)	Nessus	Fedora Local Security Checks	high
137212	Fedora 31 : php-phpmailer6 (2020-6d2e1105f2)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2020-13625

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high