Double quote flaw in uploaded file name in PHPMailer allows installing ransomware

A security flaw has been revealed in PHPMailer, the code library for sending emails safely and easily via PHP code from a web server. According to data destruction experts, exploiting this flaw would allow hackers to bypass security restrictions on affected systems, which would eventually lead to further attacks, such as ransomware infection, among others.

Below is a brief description of the reported vulnerability, in addition to its respective score and tracking key according to the Common Vulnerability Scoring System (CVSS).

Identified as CVE-2020-13625, the vulnerability exists due to insufficient validation of user-provided attachments with a double quote character, which would allow remote hackers to avoid security restrictions enabled by PHPMailer users.

Unauthenticated remote threat actors can use specially designed file names to pass them to the application and get evaded, as mentioned by data destruction specialists.

The vulnerability received a score of 3.2/10 on the CVSS scale. This flaw resides in the following PHPMailer versions: 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, and 6.1.5. Although this vulnerability can be exploited remotely by unauthenticated threat actors, data destruction specialists have not detected cases of active exploitation or the existence of malware related to this attack.

PHPMailer developers have already released an update to fix this bug, so it is recommended that affected deployment administrators install the patches as soon as possible. For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.