Ricochet super-team Stephen Pope and Rick Destree were invaluable in upgrading the functionalities of the MarketTools corporate website, helping us implement new design elements and site structure, and launching a new website on very short notice when our business unit was acquired by Confirmit. Along the way, they taught me a lot about Drupal! Stephen’s help was critical in dealing with some difficult pre-existing server environment issues, and he went the extra mile many times to get us past the crunch points. I absolutely recommend Stephen and his team!
—Laura Newton

Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062

Wed, 2024-11-20 09:36 — Anonymous (not verified)

Project: MailjetDate: 2024-November-20Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionAffected versions: <4.0.1Description: This module for Drupal provides complete control of Email settings with Drupal and Mailjet.
In certain cases the module doesn't securely pass data to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.
This vulnerability is mitigated by the fact that an attack must operate with the permission "administer mailjet module", however this could be the case if this issue were combined with others in an "attack chain".Solution: Install the latest version:

Upgrade to Mailjet 4.0.1
For Drupal 7.x, upgrade to Mailjet 7.x-2.23

Reported By:

Drew Webber of the Drupal Security Team

Fixed By:

Drew Webber of the Drupal Security Team
Bohdan Artemchuk

Coordinated By:

Drew Webber of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2024-062

Search form

Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062