Avi Alkalay notify from Variable Arbitrary Command Execution
Remote / Network Access
Loss of Integrity
notify contains a flaw that may allow a malicious user to execute arbitrary commands on the server. The issue is triggered when a semi-colon is entered into the 'from' variable as a seperator for arbitrary commands.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.