CVE-2016-10034 – zendframework/zend-mail

Package

Manager: composer
Name: zendframework/zend-mail
Vulnerable Version: >=0 <2.4.11 || >=2.5 <=2.5.2 || >=2.6 <=2.6.2 || >=2.7 <2.7.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.82322 pctl0.99177

Details

zend-mail remote code execution via Sendmail adapter The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.

Metadata

Created: 2022-05-14T02:19:49Z
Modified: 2024-04-23T23:13:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r9mw-gwx9-v3h5/GHSA-r9mw-gwx9-v3h5.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-r9mw-gwx9-v3h5
Finding: F422
Auto approve: 1