Drupal core Remote Code Execution

2024-05-1520:59:25

CWE-94

GitHub Advisory Database

github.com

drupal

remote code execution

defaultmailsystem

vulnerability

8 High

AI Score

Confidence

Low

JSON

In Drupal core, when sending email some variables were not being sanitized for shell arguments in DefaultMailSystem::mail(), which could lead to remote code execution.

Affected configurations

Vulners

Node

drupaldrupalRange<8.6.2

drupaldrupalRange<8.5.8

drupaldrupalRange<7.60

CPENameOperatorVersion
drupal/drupallt8.6.2
drupal/drupallt8.5.8
drupal/drupallt7.60

Name	Operator	Version
drupal/drupal	lt	8.6.2
drupal/drupal	lt	8.5.8
drupal/drupal	lt	7.60

References

github.com/advisories/GHSA-jf8c-36vw-98x4

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-4.yaml

www.drupal.org/sa-core-2018-006

8 High

AI Score

Confidence

Low

JSON