CVE-2016-10034

Name of the Vulnerable Software and Affected Versions zend-mail component versions prior to 2.4.11 zend-mail component versions 2.5.x zend-mail component versions 2.6.x zend-mail component versions 2.7.x prior to 2.7.2 Zend Framework versions prior to 2.4.11

Description The issue allows remote attackers to potentially execute arbitrary code by passing extra parameters to the mail command. This is achieved through a crafted e-mail address containing a backslash double quote (") in the setFrom function of the Sendmail adapter in the zend-mail component.

Recommendations For versions prior to 2.4.11, update to version 2.4.11 or later. For versions 2.5.x, update to version 2.7.2 or later. For versions 2.6.x, update to version 2.7.2 or later. For versions 2.7.x prior to 2.7.2, update to version 2.7.2. As a temporary workaround, consider restricting the use of the setFrom function in the Sendmail adapter until a patch is available.