Drupal core Remote Code Execution

2024-05-1520:27:23

CWE-94

GitHub Advisory Database

github.com

drupal

remote code execution

shell arguments

defaultmailsystem

8 High

AI Score

Confidence

Low

JSON

In Drupal core, when sending email some variables were not being sanitized for shell arguments in DefaultMailSystem::mail(), which could lead to remote code execution.

Affected configurations

Vulners

Node

drupal_coredrupal_coreRange<8.6.2

drupal_coredrupal_coreRange<8.5.8

drupal_coredrupal_coreRange<7.60

CPENameOperatorVersion
drupal/corelt8.6.2
drupal/corelt8.5.8
drupal/corelt7.60

Name	Operator	Version
drupal/core	lt	8.6.2
drupal/core	lt	8.5.8
drupal/core	lt	7.60

References

github.com/advisories/GHSA-6mgp-v5cm-ghg5

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2018-10-17-4.yaml

www.drupal.org/sa-core-2018-006

8 High

AI Score

Confidence

Low

JSON