CVE-2016-10034

Published: Dec 30, 2016Modified: May 6, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.

Affected (10)

Products: Zend: Zend Framework, Zend Mail

2 products

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zend Zend Framework	Up to 2.4.10

Configuration B

9 vulnerable

Vulnerable Software	Affected Versions
Zend Zend Mail	Up to 2.4.10
Zend Zend Mail	Version 2.5.0
Zend Zend Mail	Version 2.5.1
Zend Zend Mail	Version 2.5.2
Zend Zend Mail	Version 2.6.0
Zend Zend Mail	Version 2.6.1
Zend Zend Mail	Version 2.6.2
Zend Zend Mail	Version 2.7.0
Zend Zend Mail	Version 2.7.1

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (16)

http://www.securityfocus.com/bid/95144

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037539

Source: cve@mitre.org

https://framework.zend.com/security/advisory/ZF2016-04

Source: cve@mitre.org

ExploitTechnical DescriptionVendor Advisory

https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html

Source: cve@mitre.org

ExploitTechnical DescriptionThird Party Advisory

https://security.gentoo.org/glsa/201804-10

Source: cve@mitre.org

https://www.exploit-db.com/exploits/40979/

Source: cve@mitre.org

https://www.exploit-db.com/exploits/40986/

Source: cve@mitre.org

https://www.exploit-db.com/exploits/42221/

Source: cve@mitre.org

http://www.securityfocus.com/bid/95144

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037539

Source: af854a3a-2127-422b-91ae-364da2661108

https://framework.zend.com/security/advisory/ZF2016-04

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionVendor Advisory

https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

https://security.gentoo.org/glsa/201804-10

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/40979/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/40986/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/42221/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.