[Security-news] HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069
security-news at drupal.org
security-news at drupal.org
Wed Oct 17 22:54:41 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-069
Project: HTML Mail [1]
Date: 2018-October-17
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Remote Code Execution
Description:
The HTML Mail module lets you theme your messages the same way you theme the
rest of your website.
When sending email some variables were not being sanitized for shell
arguments, which could lead to remote code execution.
This issue is related to the Drupal Core release SA-CORE-2018-006 [3].
Solution:
Install the latest version:
* If you are running Drupal 7.x,
* update to 7.x-2.71 [4].
* In case you're still using 7.x-2.65, there is a version 7.x-2.66 [5]
which has only the security patch applied, but you must realize that
you are running old code and you're missing a number of bug fixes.
Also see the HTML Mail [6] project page.
Reported By:
* Damien Tournoud [7]
Fixed By:
* Hans Salvisberg [8]
Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/htmlmail
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2018-006
[4] https://www.drupal.org/project/htmlmail/releases/7.x-2.71
[5] https://www.drupal.org/project/htmlmail/releases/7.x-2.66
[6] https://www.drupal.org/project/htmlmail
[7] https://www.drupal.org/user/22211
[8] https://www.drupal.org/user/82964
[9] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list