CVE-2020-7769 – nodemailer

Package

Manager: npm
Name: nodemailer
Vulnerable Version: >=0 <6.4.16

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00594 pctl0.68341

Details

Command injection in nodemailer This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

Metadata

Created: 2021-05-10T19:16:52Z
Modified: 2021-04-19T22:42:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-48ww-j4fc-435p/GHSA-48ww-j4fc-435p.json
CWE IDs: ["CWE-88"]
Alternative ID: GHSA-48ww-j4fc-435p
Finding: F014
Auto approve: 1