Advertisement






Drupal 4.6.6 / 4.5.8 fixes mail header injection issue

CVE Category Price Severity
CVE-2015-3293 CWE-93 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2006-03-23
CPE
cpe:cpe:/a:drupal:drupal:4.6.6:4.5.8
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006030071

Below is a copy:

------------------------------------------------------------------------
----
Drupal security advisory                                  DRUPAL-SA-2006-004
------------------------------------------------------------------------
----
Advisory ID:    DRUPAL-SA-2006-004
Project:        Drupal core
Date:           2006-03-13
Security risk:  moderately critical
Impact:         security bypass
Where:          from remote
Vulnerability:  mail header injection attack
------------------------------------------------------------------------
----

Description
-----------
Linefeeds and carriage returns were not being stripped from email headers,
raising the possibility of bogus headers being inserted into outgoing email.
This could lead to Drupal sites being used to send unwanted email.

Versions affected
-----------------
All Drupal versions before 4.6.6.

Solution
--------
If you are running Drupal 4.5.x then upgrade to Drupal 4.5.8.
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.6.

Reported by
-----------
Norrin, kbahey

Contact
-------
The security contact for Drupal can be reached at security (at) drupal (dot) org [email concealed]
or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from
our security RSS feed http://drupal.org/security/rss.xml.

// Uwe Hermann, on behalf of the Drupal Security Team.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEFiQtXdVoV3jWIbQRAlgvAKCRPRYNf26DWBsMXmV66RwAxySx0QCgnOBf
Y6Sys1nFBsQToaxJISYhoeI=
=pUZr
-----END PGP SIGNATURE-----

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.