Debian Security Advisory
DLA-2244-1 libphp-phpmailer -- LTS security update
- Date Reported:
- 11 Jun 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2020-13625.
- More information:
It was discovered that there was an escaping issue in libphp-phpmailer, an email generation utility class for the PHP programming language.
The Content-Type and Content-Disposition headers could have permitted file attachments that bypassed attachment filters which match on filename extensions. For more information, please see the upstream announcement
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
For Debian 8
Jessie, these problems have been fixed in version 5.2.9+dfsg-2+deb8u6.
We recommend that you upgrade your libphp-phpmailer packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS