-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/drupal | composer | >= 7.0, < 7.60 | 7.60 |
| drupal/drupal | composer | >= 8.0.0, < 8.5.8 | 8.5.8 |
| drupal/drupal | composer | >= 8.6.0, < 8.6.2 | 8.6.2 |
Miggo AIRoot Cause AnalysisThe vulnerability description explicitly identifies DefaultMailSystem::mail() as the location where unsanitized variables were passed to shell commands. The CWE-94 (Code Injection) classification confirms this is a command injection issue. While exact implementation details aren't shown, the advisory's specific reference to this class/method in the context of email sending and shell argument sanitization provides high confidence this is the vulnerable function. The standard Drupal file structure places this class in core/lib/Drupal/Core/Mail/DefaultMailSystem.php.
PHPPHPOngoing coverage of React2Shell