Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2016-10034

UNKNOWN
Published 2016-12-30T19:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2016-10034. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

zend-mail remote code execution via Sendmail adapter

GHSA-r9mw-gwx9-v3h5

Advisory Details

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.

Affected Packages

Packagist zendframework/zend-mail
ECOSYSTEM: ≥0 <2.4.11
Packagist zendframework/zend-mail
ECOSYSTEM: ≥2.5 ≤2.5.2
Packagist zendframework/zend-mail
ECOSYSTEM: ≥2.6 ≤2.6.2
Packagist zendframework/zend-mail
ECOSYSTEM: ≥2.7 <2.7.2

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-10034
WEB https://framework.zend.com/security/advisory/ZF2016-04
PACKAGE https://github.com/zendframework/zend-mail
WEB https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
WEB https://security.gentoo.org/glsa/201804-10
WEB https://www.exploit-db.com/exploits/40979
WEB https://www.exploit-db.com/exploits/40986
WEB https://www.exploit-db.com/exploits/42221
WEB http://www.securityfocus.com/bid/95144
WEB http://www.securitytracker.com/id/1037539

Advisory provided by GitHub Security Advisory Database. Published: May 14, 2022, Modified: April 23, 2024

References

https://security.gentoo.org/glsa/201804-10
https://www.exploit-db.com/exploits/42221/
https://framework.zend.com/security/advisory/ZF2016-04
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
https://www.exploit-db.com/exploits/40979/
http://www.securitytracker.com/id/1037539
https://www.exploit-db.com/exploits/40986/
http://www.securityfocus.com/bid/95144

HackerOne Reports

Directory Disclose,Email Disclose Zendmail vulnerability None
test_this
Paragon Initiative Enterprises
Information Exposure Through Directory Listing
View Report
Published: 2016-12-30T19:00:00
Last Modified: 2024-08-06T03:07:31.976Z
Copied to clipboard!