[Security-news] Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068
security-news at drupal.org
security-news at drupal.org
Wed Oct 17 22:54:38 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-068
Project: Mime Mail [1]
Date: 2018-October-17
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Remote Code Execution
Description:
The MIME Mail module allows to send MIME-encoded e-mail messages with
embedded images and attachments.
The module doesn't sufficiently sanitized some variables for shell arguments
when sending email, which could lead to arbitrary remote code execution.
This issue is related to the Drupal Core release SA-CORE-2018-006 [3].
Solution:
Install the latest version:
* If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail
7.x-1.1 [4]
Also see the Mime Mail [5] project page.
Reported By:
* RainbowLyte [6]
Fixed By:
* sgabe [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/mimemail
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2018-006
[4] https://www.drupal.org/node/3007375
[5] https://www.drupal.org/project/mimemail
[6] https://www.drupal.org/user/3518785
[7] https://www.drupal.org/user/232117
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list