CVE-2016-10034

Sažetak

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.

Reference

http://www.securityfocus.com/bid/95144
http://www.securitytracker.com/id/1037539
https://framework.zend.com/security/advisory/ZF2016-04
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
https://security.gentoo.org/glsa/201804-10
https://www.exploit-db.com/exploits/40979/
https://www.exploit-db.com/exploits/40986/
https://www.exploit-db.com/exploits/42221/

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

21-10-2018 - 10:29

Objavljeno

30-12-2016 - 19:59