[SECURITY-L] [Security-news] Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006

CSIRT Unicamp security em unicamp.br
Quarta Janeiro 24 16:40:18 -03 2024 

View online: https://www.drupal.org/sa-contrib-2024-006

Project: Swift Mailer [1]
Date: 2024-January-24
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description:
The Drupal Swift Mailer module extends the basic e-mail sending
functionality
provided by Drupal by delegating all e-mail handling to the Swift Mailer
library. This enables your site to take advantage of the many features which
the Swift Mailer library provides.

The module could allow an attacker to gain widespread access to a Drupal
site. This vulnerability is mitigated by the fact that an attacker must have
a means to trigger sending an email with a body that they can control, which
would requires either another contributed module or custom integration.

Solution:
Uninstall this module immediately. The swiftmailer library has been
unsupported for a year, and this module is now also unsupported.

Changing to a replacement module is suggested, the following were
specifically suggested by the module maintainers:

   * Drupal Symfony Mailer Lite [3]
   * Drupal Symfony Mailer [4]

Reported By:
   * Adam Shepherd [5]

Fixed By:
   * Adam Shepherd [6]
   * Wayne Eaker [7]

Coordinated By:
   * Damien McKenna [8] of the Drupal Security Team
   * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/swiftmailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer_lite
[4] https://www.drupal.org/project/symfony_mailer
[5] https://www.drupal.org/user/2650563
[6] https://www.drupal.org/user/2650563
[7] https://www.drupal.org/user/326925
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20240124/1522a01e/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L