The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/95144 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1037539 | |
https://framework.zend.com/security/advisory/ZF2016-04 | Exploit Technical Description Vendor Advisory |
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html | Exploit Technical Description Third Party Advisory |
https://security.gentoo.org/glsa/201804-10 | |
https://www.exploit-db.com/exploits/40979/ | |
https://www.exploit-db.com/exploits/40986/ | |
https://www.exploit-db.com/exploits/42221/ |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2016-12-30T19:00:00
Updated: 2018-10-21T09:57:02
Reserved: 2016-12-23T00:00:00
Link: CVE-2016-10034
JSON object: View
NVD Information
Status : Modified
Published: 2016-12-30T19:59:00.217
Modified: 2018-10-21T10:29:01.003
Link: CVE-2016-10034
JSON object: View
Redhat Information
No data.
CWE