Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (3)
| Vulnerability |
Summary |
Aliases |
|
VCID-5h8d-enm7-rqbw
|
Potential XSS vulnerability in jQuery
### Impact
Passing HTML containing `<option>` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code.
### Patches
This problem is patched in jQuery 3.5.0.
### Workarounds
To workaround this issue without upgrading, use [DOMPurify](https://github.com/cure53/DOMPurify) with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method.
### References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
### For more information
If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.
|
CVE-2020-11023
GHSA-jpcq-cgw6-v4j6
|
|
VCID-8u7z-w4pc-cqaf
|
Insufficient output escaping of attachment names in PHPMailer
### Impact
CWE-116: Incorrect output escaping.
An attachment added like this (note the double quote within the attachment name, which is entirely valid):
$mail->addAttachment('/tmp/attachment.tmp', 'filename.html";.jpg');
Will result in a message containing these headers:
Content-Type: application/octet-stream; name="filename.html";.jpg"
Content-Disposition: attachment; filename="filename.html";.jpg"
The attachment will be named `filename.html`, and the trailing `";.jpg"` will be ignored. Mail filters that reject `.html` attachments but permit `.jpg` attachments may be fooled by this.
Note that the MIME type itself is obtained automatically from the *source filename* (in this case `attachment.tmp`, which maps to a generic `application/octet-stream` type), and not the *name* given to the attachment (though these are the same if a separate name is not provided), though it can be set explicitly in other parameters to attachment methods.
### Patches
Patched in PHPMailer 6.1.6 by escaping double quotes within the name using a backslash, as per RFC822 section 3.4.1, resulting in correctly escaped headers like this:
Content-Type: application/octet-stream; name="filename.html\";.jpg"
Content-Disposition: attachment; filename="filename.html\";.jpg"
### Workarounds
Reject or filter names and filenames containing double quote (`"`) characters before passing them to attachment functions such as `addAttachment()`.
### References
[CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625).
[PHPMailer 6.1.6 release](https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6)
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the PHPMailer repo](https://github.com/PHPMailer/PHPMailer/issues)
|
CVE-2020-13625
GHSA-f7hx-fqxw-rvvj
|
|
VCID-uv8j-jfsm-gbbu
|
|
CVE-2020-14295
|