Impact
Sites using the sendmail transport as part of their mail config are vulnerable to remote command injection due to a vulnerability in the nodemailer dependency.
Ghost defaults to the direct transport so this is only exploitable if the sendmail transport is explicitly used.
Patches
Fixed in 4.15.0, all sites should upgrade as soon as possible.
Workarounds
- Use an alternative email transport as described in the docs.
For more information
If you have any questions or comments about this advisory:
Impact
Sites using the
sendmailtransport as part of theirmailconfig are vulnerable to remote command injection due to a vulnerability in thenodemailerdependency.Ghost defaults to the
directtransport so this is only exploitable if thesendmailtransport is explicitly used.Patches
Fixed in 4.15.0, all sites should upgrade as soon as possible.
Workarounds
For more information
If you have any questions or comments about this advisory: