CVE-2016-10034
Summary
| CVE | CVE-2016-10034 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-12-30 19:59:00 UTC |
| Updated | 2018-10-21 10:29:00 UTC |
| Description | The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. |
Risk And Classification
Problem Types: CWE-77
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Zend | Zend-mail | 2.5.0 | All | All | All |
| Application | Zend | Zend-mail | 2.5.1 | All | All | All |
| Application | Zend | Zend-mail | 2.5.2 | All | All | All |
| Application | Zend | Zend-mail | 2.6.0 | All | All | All |
| Application | Zend | Zend-mail | 2.6.1 | All | All | All |
| Application | Zend | Zend-mail | 2.6.2 | All | All | All |
| Application | Zend | Zend-mail | 2.7.0 | All | All | All |
| Application | Zend | Zend-mail | 2.7.1 | All | All | All |
| Application | Zend | Zend-mail | 2.5.0 | All | All | All |
| Application | Zend | Zend-mail | 2.5.1 | All | All | All |
| Application | Zend | Zend-mail | 2.5.2 | All | All | All |
| Application | Zend | Zend-mail | 2.6.0 | All | All | All |
| Application | Zend | Zend-mail | 2.6.1 | All | All | All |
| Application | Zend | Zend-mail | 2.6.2 | All | All | All |
| Application | Zend | Zend-mail | 2.7.0 | All | All | All |
| Application | Zend | Zend-mail | 2.7.1 | All | All | All |
| Application | Zend | Zend-mail | All | All | All | All |
| Application | Zend | Zend Framework | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution - PHP webapps Exploit | EXPLOIT-DB | www.exploit-db.com | |
| Zend Framework - Advisory | CONFIRM | framework.zend.com | Exploit, Technical Description, Vendor Advisory |
| Zend Framework: Multiple vulnerabilities (GLSA 201804-10) — Gentoo security | GENTOO | security.gentoo.org | |
| Zend Framework / zend-mail < 2.4.11 - Remote Code Execution - PHP webapps Exploit | EXPLOIT-DB | www.exploit-db.com | |
| ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln | MISC | legalhackers.com | Exploit, Technical Description, Third Party Advisory |
| PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution - PHP webapps Exploit | EXPLOIT-DB | www.exploit-db.com | |
| Zend Framework Input Validation Flaw in zend-mail Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker | SECTRACK | www.securitytracker.com | |
| Zend Framework 'zend-mail' Component Remote Code Execution Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.