Lucene search

K
nvd[email protected]NVD:CVE-2016-10034
HistoryDec 30, 2016 - 7:59 p.m.

CVE-2016-10034

2016-12-3019:59:00
CWE-77
web.nvd.nist.gov
9

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.964

Percentile

99.6%

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted e-mail address.

Affected configurations

Nvd
Node
zendzend_frameworkRange2.4.10
Node
zendzend-mailRange2.4.10
OR
zendzend-mailMatch2.5.0
OR
zendzend-mailMatch2.5.1
OR
zendzend-mailMatch2.5.2
OR
zendzend-mailMatch2.6.0
OR
zendzend-mailMatch2.6.1
OR
zendzend-mailMatch2.6.2
OR
zendzend-mailMatch2.7.0
OR
zendzend-mailMatch2.7.1
VendorProductVersionCPE
zendzend_framework*cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*
zendzend-mail*cpe:2.3:a:zend:zend-mail:*:*:*:*:*:*:*:*
zendzend-mail2.5.0cpe:2.3:a:zend:zend-mail:2.5.0:*:*:*:*:*:*:*
zendzend-mail2.5.1cpe:2.3:a:zend:zend-mail:2.5.1:*:*:*:*:*:*:*
zendzend-mail2.5.2cpe:2.3:a:zend:zend-mail:2.5.2:*:*:*:*:*:*:*
zendzend-mail2.6.0cpe:2.3:a:zend:zend-mail:2.6.0:*:*:*:*:*:*:*
zendzend-mail2.6.1cpe:2.3:a:zend:zend-mail:2.6.1:*:*:*:*:*:*:*
zendzend-mail2.6.2cpe:2.3:a:zend:zend-mail:2.6.2:*:*:*:*:*:*:*
zendzend-mail2.7.0cpe:2.3:a:zend:zend-mail:2.7.0:*:*:*:*:*:*:*
zendzend-mail2.7.1cpe:2.3:a:zend:zend-mail:2.7.1:*:*:*:*:*:*:*

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.964

Percentile

99.6%