Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

Project: Mime Mail
Date: 2018-October-17
Security risk: *Critical* 17∕25
Vulnerability: Remote Code Execution

Description

The MIME Mail module allows to send MIME-encoded e-mail messages with
embedded images and attachments.

The module doesn't sufficiently sanitized some variables for shell arguments
when sending email, which could lead to arbitrary remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution

Install the latest version:

* If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail 7.x-1.1

Also see the Mime Mail project page.

Add new comment