Sendmail location and arguments, available via Administer - Settings,
both accept arbitrary strings and pass them into shell.
By default, only Foreman super administrator can access settings.

Mitigation: Verify the both settings and remove edit_settings
permissions to all roles and users until fixed. Alternatively, create
settings named sendmail_location and sendmail_arguments in settings.yaml
file to override the UI and make the values read-only.

Solution: Limit the possible values for location to just expected paths.
Use shellescaping for arguments as there is currently no way to pass
arguments to the 'mail' gem in a safely manner.