CVE-2020-7769 Vulnerability in npm package nodemailer

Description

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

Remediation

References

https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75

https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742

https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834

Related Vulnerabilities

CVE-2023-40167 Vulnerability in maven package org.eclipse.jetty:jetty-http

CVE-2023-37903 Vulnerability in npm package vm2

CVE-2017-16081 Vulnerability in npm package cross-env.js

CVE-2021-31406 Vulnerability in maven package com.vaadin:flow-server

CVE-2020-7789 Vulnerability in maven package org.webjars.npm:node-notifier

Severity

Critical

Classification

CWE-88 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H