VulnerableCode Package Details - pkg:deb/debian/libphp-phpmailer@6.0.6-0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-vc72-ptj1-kyh4 Aliases: CVE-2020-13625 GHSA-f7hx-fqxw-rvvj	PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.	6.2.0-2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-vqjk-32b7-zkgz Aliases: CVE-2020-36326 GHSA-m298-fh5c-jc66	Object injection in PHPMailer/PHPMailer ### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like any kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in any PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to all user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.	6.2.0-2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-vc72-ptj1-kyh4
Aliases:
CVE-2020-13625
GHSA-f7hx-fqxw-rvvj

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

6.2.0-2
Affected by 1 other vulnerability.

VCID-vqjk-32b7-zkgz
Aliases:
CVE-2020-36326
GHSA-m298-fh5c-jc66

Object injection in PHPMailer/PHPMailer ### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.

6.2.0-2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-429k-1vmw-kfgp		CVE-2017-11503 GHSA-58mj-pw57-4vm2
VCID-tgrc-1eek-q7e9	PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.	CVE-2018-19296 GHSA-7w4p-72j7-v7c2

Vulnerability

Summary

Aliases

VCID-429k-1vmw-kfgp

CVE-2017-11503
GHSA-58mj-pw57-4vm2

VCID-tgrc-1eek-q7e9

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

CVE-2018-19296
GHSA-7w4p-72j7-v7c2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T18:08:25.168747+00:00	Debian Oval Importer	Fixing	VCID-429k-1vmw-kfgp	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:30:22.725773+00:00	Debian Oval Importer	Affected by	VCID-vc72-ptj1-kyh4	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:18:54.884234+00:00	Debian Oval Importer	Fixing	VCID-tgrc-1eek-q7e9	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:10:10.649268+00:00	Debian Oval Importer	Affected by	VCID-vqjk-32b7-zkgz	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0