Search for packages
| purl | pkg:deb/debian/libphp-phpmailer@5.1-1.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-16kp-5zpw-fbha
Aliases: CVE-2020-13625 GHSA-f7hx-fqxw-rvvj |
Insufficient output escaping of attachment names in PHPMailer ### Impact CWE-116: Incorrect output escaping. An attachment added like this (note the double quote within the attachment name, which is entirely valid): $mail->addAttachment('/tmp/attachment.tmp', 'filename.html";.jpg'); Will result in a message containing these headers: Content-Type: application/octet-stream; name="filename.html";.jpg" Content-Disposition: attachment; filename="filename.html";.jpg" The attachment will be named `filename.html`, and the trailing `";.jpg"` will be ignored. Mail filters that reject `.html` attachments but permit `.jpg` attachments may be fooled by this. Note that the MIME type itself is obtained automatically from the *source filename* (in this case `attachment.tmp`, which maps to a generic `application/octet-stream` type), and not the *name* given to the attachment (though these are the same if a separate name is not provided), though it can be set explicitly in other parameters to attachment methods. ### Patches Patched in PHPMailer 6.1.6 by escaping double quotes within the name using a backslash, as per RFC822 section 3.4.1, resulting in correctly escaped headers like this: Content-Type: application/octet-stream; name="filename.html\";.jpg" Content-Disposition: attachment; filename="filename.html\";.jpg" ### Workarounds Reject or filter names and filenames containing double quote (`"`) characters before passing them to attachment functions such as `addAttachment()`. ### References [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). [PHPMailer 6.1.6 release](https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6) ### For more information If you have any questions or comments about this advisory: * Open an issue in [the PHPMailer repo](https://github.com/PHPMailer/PHPMailer/issues) |
Affected by 1 other vulnerability. |
|
VCID-4mjb-ur86-hkaz
Aliases: CVE-2020-36326 GHSA-m298-fh5c-jc66 |
Object injection in PHPMailer/PHPMailer ### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift. |
Affected by 1 other vulnerability. |
|
VCID-7kvh-8w1t-2kej
Aliases: CVE-2015-8476 GHSA-738m-f33v-qc2r |
Multiple CRLF injection vulnerabilities allow attackers to inject arbitrary SMTP commands via CRLF sequences in an email address to the `validateAddress` function in `class.phpmailer.php` or SMTP command to the `sendCommand` function in `class.smtp.php`. |
Affected by 7 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-8msv-t7dq-qkd2
Aliases: DSA-3750-2 libphp-phpmailer |
regression update |
Affected by 7 other vulnerabilities. |
|
VCID-cq4m-3q7u-cbg3
Aliases: CVE-2016-10033 GHSA-5f37-gxvh-23v6 |
Remote code execution in PHPMailer ### Impact The `mailSend` function in the default `isMail` transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted `Sender` property. ### Patches Fixed in 5.2.18 ### Workarounds Filter and validate user input before passing it to internal functions. ### References https://nvd.nist.gov/vuln/detail/CVE-2016-10033 Related to a follow-on issue in https://nvd.nist.gov/vuln/detail/CVE-2016-10045 ### For more information If you have any questions or comments about this advisory: * Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer) |
Affected by 7 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-f585-qf89-f7f3
Aliases: CVE-2018-19296 GHSA-7w4p-72j7-v7c2 |
Object injection PHPMailer is vulnerable to an object injection attack. |
Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-ywsv-ddhg-b7es
Aliases: CVE-2017-5223 GHSA-4x5h-cr29-fhp6 |
Local File Disclosure PHPMailer's `msgHTML` method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to `/`, meaning that relative image URLs get treated as absolute local file paths and added as attachments. |
Affected by 4 other vulnerabilities. |
|
VCID-zju7-7wax-zfhz
Aliases: CVE-2017-11503 GHSA-58mj-pw57-4vm2 |
XSS vulnerability in code example The `code_generator.phps` example does not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There's also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7kvh-8w1t-2kej | Multiple CRLF injection vulnerabilities allow attackers to inject arbitrary SMTP commands via CRLF sequences in an email address to the `validateAddress` function in `class.phpmailer.php` or SMTP command to the `sendCommand` function in `class.smtp.php`. |
CVE-2015-8476
GHSA-738m-f33v-qc2r |