CVE-2020-36326

Name of the Vulnerable Software and Affected Versions: PHPMailer versions 6.1.8 through 6.4.0

Description: The issue allows object injection through Phar Deserialization via the addAttachment method with a UNC pathname. This is a reintroduction of an earlier problem due to an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for .phar files. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one.

Recommendations: For PHPMailer versions 6.1.8 through 6.4.0, update to PHPMailer 6.4.1 to resolve the issue. As a temporary workaround, validate paths to loaded files using the same pattern as used in isPermittedPath() before using them in any PHP file function, such as file exists. This should be applied to all user-supplied paths passed into such functions.