Mail header injection in Drupal - #VU585
Published: September 21, 2016
Vulnerability identifier: #VU585
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows Drupal sited to send unwanted emails.
The weakness is caused by linefeeds and carriage returns left in email headers that leads to including of bogus headers into outgoing email.
Successful exploitation of the vulnerability may result in transmission of unwanted emails.
The weakness is caused by linefeeds and carriage returns left in email headers that leads to including of bogus headers into outgoing email.
Successful exploitation of the vulnerability may result in transmission of unwanted emails.
Remediation
Update 4.5.x to 4.5.8.
Update 4.6.x to 4.6.6.
Update 4.6.x to 4.6.6.