8 High
AI Score
Confidence
Low
In Drupal core, when sending email some variables were not being sanitized for shell arguments in DefaultMailSystem::mail(), which could lead to remote code execution.
DefaultMailSystem::mail()
github.com/drupal/drupal
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-4.yaml
www.drupal.org/sa-core-2018-006