[Security-news] Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006
security-news at drupal.org
security-news at drupal.org
Wed Jan 24 18:39:01 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-006
Project: Swift Mailer [1]
Date: 2024-January-24
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
The Drupal Swift Mailer module extends the basic e-mail sending functionality
provided by Drupal by delegating all e-mail handling to the Swift Mailer
library. This enables your site to take advantage of the many features which
the Swift Mailer library provides.
The module could allow an attacker to gain widespread access to a Drupal
site. This vulnerability is mitigated by the fact that an attacker must have
a means to trigger sending an email with a body that they can control, which
would requires either another contributed module or custom integration.
Solution:
Uninstall this module immediately. The swiftmailer library has been
unsupported for a year, and this module is now also unsupported.
Changing to a replacement module is suggested, the following were
specifically suggested by the module maintainers:
* Drupal Symfony Mailer Lite [3]
* Drupal Symfony Mailer [4]
Reported By:
* Adam Shepherd [5]
Fixed By:
* Adam Shepherd [6]
* Wayne Eaker [7]
Coordinated By:
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/swiftmailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer_lite
[4] https://www.drupal.org/project/symfony_mailer
[5] https://www.drupal.org/user/2650563
[6] https://www.drupal.org/user/2650563
[7] https://www.drupal.org/user/326925
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762
More information about the Security-news
mailing list