Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006
  • Date: Wed, 24 Jan 2024 18:39:01 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9073C4173B
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 70DD241E6E
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7BA7740513
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org C1C5740508
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-006

Project: Swift Mailer [1]
Date: 2024-January-24
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
The Drupal Swift Mailer module extends the basic e-mail sending functionality
provided by Drupal by delegating all e-mail handling to the Swift Mailer
library. This enables your site to take advantage of the many features which
the Swift Mailer library provides.

The module could allow an attacker to gain widespread access to a Drupal
site. This vulnerability is mitigated by the fact that an attacker must have
a means to trigger sending an email with a body that they can control, which
would requires either another contributed module or custom integration.

Solution: 
Uninstall this module immediately. The swiftmailer library has been
unsupported for a year, and this module is now also unsupported.

Changing to a replacement module is suggested, the following were
specifically suggested by the module maintainers:

* Drupal Symfony Mailer Lite [3]
* Drupal Symfony Mailer [4]

Reported By: 
* Adam Shepherd [5]

Fixed By: 
* Adam Shepherd [6]
* Wayne Eaker [7]

Coordinated By: 
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/swiftmailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer_lite
[4] https://www.drupal.org/project/symfony_mailer
[5] https://www.drupal.org/user/2650563
[6] https://www.drupal.org/user/2650563
[7] https://www.drupal.org/user/326925
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006, security-news, 24.01.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang