Contrib.social

Link to the access bypass security advisory on module page

Open on Drupal.org →
Created on 24 January 2024, 10 months ago
Updated 8 February 2024, 10 months ago

Problem/Motivation

While the module has been marked unsupported, I think it would be helpful to correct the text on the module page. It currently says:

Warning: the swiftmailer library is no longer maintained and so this module is obsolete. It has not yet been marked unsupported, but that could change at any time due to discovery of a security bug or on advice of the Drupal Security Team.

The above isn't true anymore, as the module has been marked unsupported, due to a recent security advisory and unpatched vulnerability. I also think the SA should be linked on the module page. Here is the security advisory:

View online: https://www.drupal.org/sa-contrib-2024-006

Project: Swift Mailer [1]
Date: 2024-January-24
Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description:
The Drupal Swift Mailer module extends the basic e-mail sending functionality provided by Drupal by delegating all e-mail handling to the Swift Mailer library. This enables your site to take advantage of the many features which the Swift Mailer library provides.

The module could allow an attacker to gain widespread access to a Drupal site. This vulnerability is mitigated by the fact that an attacker must have a means to trigger sending an email with a body that they can control, which would requires either another contributed module or custom integration.

Solution:
Uninstall this module immediately. The swiftmailer library has been unsupported for a year, and this module is now also unsupported.

Changing to a replacement module is suggested, the following were specifically suggested by the module maintainers:

* Drupal Symfony Mailer Lite [3]
* Drupal Symfony Mailer [4]

Reported By:
* Adam Shepherd [5]

Fixed By:
* Adam Shepherd [6]
* Wayne Eaker [7]

Coordinated By:
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team

[1] https://www.drupal.org/project/swiftmailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer_lite
[4] https://www.drupal.org/project/symfony_mailer
[5] https://www.drupal.org/user/2650563
[6] https://www.drupal.org/user/2650563
[7] https://www.drupal.org/user/326925
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762

📌 Task
Status

Fixed

Version

2.0

Component

Code

Created by

solideogloria

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024