View online: https://www.drupal.org/sa-contrib-2024-006

Project: Swift Mailer [1] Date: 2024-January-24 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass

Description:  The Drupal Swift Mailer module extends the basic e-mail sending functionality provided by Drupal by delegating all e-mail handling to the Swift Mailer library. This enables your site to take advantage of the many features which the Swift Mailer library provides.

The module could allow an attacker to gain widespread access to a Drupal site. This vulnerability is mitigated by the fact that an attacker must have a means to trigger sending an email with a body that they can control, which would requires either another contributed module or custom integration.

Solution:  Uninstall this module immediately. The swiftmailer library has been unsupported for a year, and this module is now also unsupported.

Changing to a replacement module is suggested, the following were specifically suggested by the module maintainers:

* Drupal Symfony Mailer Lite [3] * Drupal Symfony Mailer [4]

Reported By:  * Adam Shepherd [5]

Fixed By:  * Adam Shepherd [6] * Wayne Eaker [7]

Coordinated By:  * Damien McKenna [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team

[1] https://www.drupal.org/project/swiftmailer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/symfony_mailer_lite [4] https://www.drupal.org/project/symfony_mailer [5] https://www.drupal.org/user/2650563 [6] https://www.drupal.org/user/2650563 [7] https://www.drupal.org/user/326925 [8] https://www.drupal.org/user/108450 [9] https://www.drupal.org/user/36762