- Advisory ID: DRUPAL-SA-CONTRIB-2017-005
- Project: (third-party module)
- Version: 7.x
- Date: 2017-January-11
- Security risk: 23/25 ( Highly Critical) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
- Vulnerability: Arbitrary PHP code execution
The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc.
The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable to PHP code execution.
Per Drupal.org policy, 3rd party code should not be stored in drupal.org repositories.
Updating this module will require manual actions to replace the PHPMailer library as described in the README.txt file included in the release.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
- Mailjet 7.x-2.x versions prior 7.x-2.10.
Install the latest version:
- If you use the Mailjet module for Drupal 7.x, upgrade to Mailjet7.x-2.10.
- Proxiad the module maintainer
- Damien McKenna of the Drupal Security Team
- 2017-01-11: Initial release of the advisory.
- 2017-01-25: Updated advisory to recommendation using the newer 7.x-2.10 release.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity