Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-November-20
Security risk:
Vulnerability:
Arbitrary PHP code execution
Affected versions:
<4.0.1
CVE IDs:
CVE-2024-13296
Description:
This module for Drupal provides complete control of Email settings with Drupal and Mailjet.
In certain cases the module doesn't securely pass data to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.
This vulnerability is mitigated by the fact that an attack must operate with the permission "administer mailjet module", however this could be the case if this issue were combined with others in an "attack chain".
Solution:
Install the latest version:
- Upgrade to Mailjet 4.0.1
- For Drupal 7.x, upgrade to Mailjet 7.x-2.23
Reported By:
- Drew Webber of the Drupal Security Team
Fixed By:
- Drew Webber of the Drupal Security Team
- Bohdan Artemchuk
Coordinated By:
- Drew Webber of the Drupal Security Team
