Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yOW13LWd3eDktdjNoNc4AAVU6

zend-mail remote code execution via Sendmail adapter

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted e-mail address.

Permalink: https://github.com/advisories/GHSA-r9mw-gwx9-v3h5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOW13LWd3eDktdjNoNc4AAVU6
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: 25 days ago

CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-r9mw-gwx9-v3h5, CVE-2016-10034
References:

Blast Radius: 33.7

Affected Packages

packagist:zendframework/zend-mail

Dependent packages: 235
Dependent repositories: 2,752
Downloads: 13,062,809 total
Affected Version Ranges: >= 2.7, < 2.7.2, >= 2.6, <= 2.6.2, >= 2.5, <= 2.5.2, < 2.4.11
Fixed in: 2.7.2, , , 2.4.11
All affected versions: 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1
All unaffected versions: 2.4.11, 2.4.12, 2.4.13, 2.7.2, 2.7.3, 2.8.0, 2.9.0, 2.10.0