Vulnerability

CVE-2021-23400

 Report advisory or correction

CVSS Score 8.8 high

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-74

References

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23400

[CVE-2021-23400] CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Description

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

See nodemailer package information