HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069

Project: HTML Mail
Date: 2018-October-17
Security risk: *Critical* 17∕25
Vulnerability: Remote Code Execution


The HTML Mail module lets you theme your messages the same way you theme the
rest of your website.

When sending email some variables were not being sanitized for shell
arguments, which could lead to remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.


Install the latest version:

* If you are running Drupal 7.x, update to 7.x-2.71.
* In case you're still using 7.x-2.65, there is a version 7.x-2.66
which has only the security patch applied, but you must realize that
you are running old code and you're missing a number of bug fixes.

Also see the HTML Mail project page.

Add new comment