CVE-2016-10034
Summary
| CVE | CVE-2016-10034 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-12-30 19:59:00 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. |
Risk And Classification
Primary CVSS: v3.0 9.8 CRITICAL from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.823220000 probability, percentile 0.992340000 (date 2026-05-11)
Problem Types: CWE-77 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Zend | Zend-mail | 2.5.0 | All | All | All |
| Application | Zend | Zend-mail | 2.5.1 | All | All | All |
| Application | Zend | Zend-mail | 2.5.2 | All | All | All |
| Application | Zend | Zend-mail | 2.6.0 | All | All | All |
| Application | Zend | Zend-mail | 2.6.1 | All | All | All |
| Application | Zend | Zend-mail | 2.6.2 | All | All | All |
| Application | Zend | Zend-mail | 2.7.0 | All | All | All |
| Application | Zend | Zend-mail | 2.7.1 | All | All | All |
| Application | Zend | Zend-mail | All | All | All | All |
| Application | Zend | Zend Framework | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Zend Framework 'zend-mail' Component Remote Code Execution Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln | af854a3a-2127-422b-91ae-364da2661108 | legalhackers.com | Exploit, Technical Description, Third Party Advisory |
| PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution - PHP webapps Exploit | af854a3a-2127-422b-91ae-364da2661108 | www.exploit-db.com | |
| Zend Framework / zend-mail < 2.4.11 - Remote Code Execution - PHP webapps Exploit | af854a3a-2127-422b-91ae-364da2661108 | www.exploit-db.com | |
| Zend Framework Input Validation Flaw in zend-mail Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Zend Framework - Advisory | af854a3a-2127-422b-91ae-364da2661108 | framework.zend.com | Exploit, Technical Description, Vendor Advisory |
| PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution - PHP webapps Exploit | af854a3a-2127-422b-91ae-364da2661108 | www.exploit-db.com | |
| Zend Framework: Multiple vulnerabilities (GLSA 201804-10) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.