<div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><br></div></div></div></div><div class="gmail_quote">View online: <a href="https://www.drupal.org/sa-contrib-2024-006" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2024-006</a><br>
<br>
Project: Swift Mailer [1]<br>
Date: 2024-January-24<br>
Security risk: *Moderately critical* 12∕25<br>
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]<br>
Vulnerability: Access bypass<br>
<br>
Description: <br>
The Drupal Swift Mailer module extends the basic e-mail sending functionality<br>
provided by Drupal by delegating all e-mail handling to the Swift Mailer<br>
library. This enables your site to take advantage of the many features which<br>
the Swift Mailer library provides.<br>
<br>
The module could allow an attacker to gain widespread access to a Drupal<br>
site. This vulnerability is mitigated by the fact that an attacker must have<br>
a means to trigger sending an email with a body that they can control, which<br>
would requires either another contributed module or custom integration.<br>
<br>
Solution: <br>
Uninstall this module immediately. The swiftmailer library has been<br>
unsupported for a year, and this module is now also unsupported.<br>
<br>
Changing to a replacement module is suggested, the following were<br>
specifically suggested by the module maintainers:<br>
<br>
   * Drupal Symfony Mailer Lite [3]<br>
   * Drupal Symfony Mailer [4]<br>
<br>
Reported By: <br>
   * Adam Shepherd [5]<br>
<br>
Fixed By: <br>
   * Adam Shepherd [6]<br>
   * Wayne Eaker [7]<br>
<br>
Coordinated By: <br>
   * Damien McKenna [8] of the Drupal Security Team<br>
   * Greg Knaddison [9] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/swiftmailer" rel="noreferrer" target="_blank">https://www.drupal.org/project/swiftmailer</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/symfony_mailer_lite" rel="noreferrer" target="_blank">https://www.drupal.org/project/symfony_mailer_lite</a><br>
[4] <a href="https://www.drupal.org/project/symfony_mailer" rel="noreferrer" target="_blank">https://www.drupal.org/project/symfony_mailer</a><br>
[5] <a href="https://www.drupal.org/user/2650563" rel="noreferrer" target="_blank">https://www.drupal.org/user/2650563</a><br>
[6] <a href="https://www.drupal.org/user/2650563" rel="noreferrer" target="_blank">https://www.drupal.org/user/2650563</a><br>
[7] <a href="https://www.drupal.org/user/326925" rel="noreferrer" target="_blank">https://www.drupal.org/user/326925</a><br>
[8] <a href="https://www.drupal.org/user/108450" rel="noreferrer" target="_blank">https://www.drupal.org/user/108450</a><br>
[9] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>
</div><div class="gmail_quote"><br></div><div class="gmail_quote"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div><br class="gmail-Apple-interchange-newline"></div></div>