CVE-2020-7769
Command injection in nodemailer
9.8
CRITICAL
CVSS 3.1
EPSS 0.51%
Description
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
How to fix CVE-2020-7769
To remediate CVE-2020-7769, upgrade the affected package to a fixed version below.
- Debian/node-nodemailer—upgrade to 6.4.16-1 or later
- —upgrade to 6.4.16 or later
Is CVE-2020-7769 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 6.4.16-1
- from 0, < 6.4.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |