[IT-SecNots] [Security-news] Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-068

Project: Mime Mail [1]
Date: 2018-October-17
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Remote Code Execution

Description: 
The MIME Mail module allows to send MIME-encoded e-mail messages with
embedded images and attachments.

The module doesn't sufficiently sanitized some variables for shell arguments
when sending email, which could lead to arbitrary remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006 [3].

Solution: 
Install the latest version:

  * If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail
    7.x-1.1 [4]

Also see the Mime Mail [5] project page.

Reported By: 
  * RainbowLyte  [6]

Fixed By: 
  * sgabe  [7]

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/mimemail
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2018-006
[4] https://www.drupal.org/node/3007375
[5] https://www.drupal.org/project/mimemail
[6] https://www.drupal.org/user/3518785
[7] https://www.drupal.org/user/232117
[8] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news