Open CharlesArea opened 2 years ago
nodemailer 4.0.1 有兩個比較嚴重的vulnerabilities, 1) Command Injection CVE-2020-7769 例如 -
-bi@example.com (-bi Initialize the alias database.) -d0.1a@example.com (The option -d0.1 prints the version of Sendmail and the options it was compiled with.) -Dfilename@example.com (Debug output file)
2) HTTP Header Injection CVE-2021-23400 例如 -
const userEmail = 'foo@bar.comrnSubject: foobar'; // imagine this comes from e.g. HTTP request params or is otherwise user-controllable await transporter.sendMail({ from: '...', to: '...', replyTo: { name: 'Customer', address: userEmail, }, subject: 'My Subject', text: message, });
建議從 4.0.1 升級到 6.7.2 / 6.6.1 (暫時沒有發現相容性的問題)
All committers have signed the CLA.
nodemailer 4.0.1 有兩個比較嚴重的vulnerabilities, 1) Command Injection CVE-2020-7769 例如 -
2) HTTP Header Injection CVE-2021-23400 例如 -
建議從 4.0.1 升級到 6.7.2 / 6.6.1 (暫時沒有發現相容性的問題)