View online: https://www.drupal.org/sa-contrib-2018-068
Project: Mime Mail [1] Date: 2018-October-17 Security risk: *Critical* 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution
Description: The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments.
The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution.
This issue is related to the Drupal Core release SA-CORE-2018-006 [3].
Solution: Install the latest version:
* If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail 7.x-1.1 [4]
Also see the Mime Mail [5] project page.
Reported By: * RainbowLyte [6]
Fixed By: * sgabe [7]
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/mimemail [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2018-006 [4] https://www.drupal.org/node/3007375 [5] https://www.drupal.org/project/mimemail [6] https://www.drupal.org/user/3518785 [7] https://www.drupal.org/user/232117 [8] https://www.drupal.org/u/greggles