Fluid Attacks Database

Description

Drupal core Remote Code Execution In Drupal core, when sending email some variables were not being sanitized for shell arguments in DefaultMailSystem::mail(), which could lead to remote code execution.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/core	>=7.0 <7.60 \|\| >=8.0.0 <8.5.8 \|\| >=8.6.0 <8.6.2	7.60, 8.5.8, 8.6.2

Aliases

1. GCVE-GHSA-6mgp-v5cm-ghg5

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2018-10-17-4.yaml2. https://www.drupal.org/sa-core-2018-006

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.