CVE-2020-13625

Name of the Vulnerable Software and Affected Versions PHPMailer versions prior to 6.1.6

Description The issue is related to an output escaping bug in PHPMailer. When the name of a file attachment contains a double quote character, it can result in the file type being misinterpreted by the receiver or any mail relay processing the message. This bug is associated with a lack of output encoding or escaping mechanism in multiple functions of the PHPMailer class. The exploitation of this bug can allow a remote attacker to impact data integrity.

Recommendations For versions prior to 6.1.6, update to version 6.1.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of double quote characters in file attachment names until a patch is applied. Restrict access to the vulnerable PHPMailer functions to minimize the risk of exploitation.