Description

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc.

The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable to PHP code execution.

Per Drupal.org policy, 3rd party code should not be stored in drupal.org repositories.

Updating this module will require manual actions to replace the PHPMailer library as described in the README.txt file included in the release.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Mailjet 7.x-2.x versions prior 7.x-2.10.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Install the latest version:

Also see the project page.

Reported by

Fixed by

Coordinated by

Changelog

  • 2017-01-11: Initial release of the advisory.
  • 2017-01-25: Updated advisory to recommendation using the newer 7.x-2.10 release.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity