GHSA-jf8c-36vw-98x4: 
PHP vulnerability analysis and mitigation

A critical remote code execution vulnerability was discovered in Drupal core's DefaultMailSystem::mail() function. The vulnerability (GHSA-jf8c-36vw-98x4) was disclosed on October 17, 2018, affecting Drupal versions 7.x (>=7.0, <7.60) and 8.x (>=8.0.0, <8.5.8 and >=8.6.0, <8.6.2). The issue stemmed from insufficient sanitization of shell arguments when sending emails (Drupal Advisory, GitHub Advisory).

The vulnerability exists in the DefaultMailSystem::mail() function where certain variables were not properly sanitized for shell arguments before being used in email operations. This security flaw was classified as Critical severity and is associated with CWE-94 (Improper Control of Generation of Code). The issue affects multiple versions across both Drupal 7.x and 8.x branches (GitHub Advisory).

The vulnerability could lead to remote code execution on affected Drupal installations, allowing attackers to potentially execute arbitrary code on the target system (Drupal Advisory, GitHub Advisory).

Users are advised to upgrade to the patched versions: Drupal 7.60 for 7.x installations, Drupal 8.5.8 for 8.5.x installations, or Drupal 8.6.2 for 8.6.x installations. Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage (Drupal Advisory).