The swiftmailer library in use allows to execute arbitrary shell commands if the "From" header comes from a non-trusted source and no "Return-Path" is configured. Affected are only TYPO3 installation the configuration option
$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport']
is set to "sendmail". Installations with the default configuration are not affected.
{ "github_reviewed": true, "cwe_ids": [ "CWE-20" ], "severity": "HIGH", "nvd_published_at": null, "github_reviewed_at": "2024-05-30T18:59:33Z" }