PT-2020-7833 · Zend · Zend-Mail+1

Filippo Tessarotto

Published

2015-05-20

Updated

2022-05-24

CVE-2015-3154

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Zend Framework versions prior to 1.12.12 Zend Framework 2.x versions prior to 2.3.8 Zend Framework 2.4.x versions prior to 2.4.1

Description: A CRLF injection vulnerability in ZendMail (Zend Mail) allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.

Recommendations: For versions prior to 1.12.12, update to version 1.12.12 or later. For 2.x versions prior to 2.3.8, update to version 2.3.8 or later. For 2.4.x versions prior to 2.4.1, update to version 2.4.1 or later.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

CVE-2015-3154

DLA-251-1

DSA-3265-1

DSA-3265-2

GHSA-5957-5CRX-79JX

MGASA-2015-0241

Affected Products

Zend Framework

Zend-Mail

PT-2020-7833 · Zend · Zend-Mail+1

CVE-2015-3154

Weakness Enumeration

Related Identifiers

Affected Products

References · 22