In Drupal core, when sending email some variables were not being sanitized for shell arguments in DefaultMailSystem::mail()
, which could lead to remote code execution.
CPE | Name | Operator | Version |
---|---|---|---|
drupal/drupal | lt | 8.6.2 | |
drupal/drupal | lt | 8.5.8 | |
drupal/drupal | lt | 7.60 |