Remote command injection when using sendmail email transport

Impact

Sites using the sendmail transport as part of their mail config are vulnerable to remote command injection due to a vulnerability in the nodemailer dependency.

Ghost defaults to the direct transport so this is only exploitable if the sendmail transport is explicitly used.

Patches

Fixed in 4.15.0, all sites should upgrade as soon as possible.

Workarounds

Use an alternative email transport as described in the docs.

For more information

If you have any questions or comments about this advisory:

email us at security@ghost.org

Published: Sep 20, 2021
Updated: Apr 14, 2023
GHSA: GHSA-wfrj-qqc2-83cm
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWEs:

CWE-88

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
ghost	-	4.15.0

https://github.com/TryGhost/Ghost/security/advisories/GHSA-wfrj-qqc2-83cm

Vulnerability Database

Remote command injection when using sendmail email transport

Impact

Patches

Workarounds

For more information