Name of the Vulnerable Software and Affected Versions: zend-mail (affected versions not specified)

Description: The issue allows a malicious user to inject arbitrary parameters to the system sendmail program when using the zend-mail component to send email via the ZendMailTransportSendmail transport. This is achieved by providing additional quote characters within an address, which can be interpreted as additional command line arguments when unsanitized. The vulnerability is demonstrated through an example where a malicious user injects parameters to the sendmail binary via the From address. The attack works because zend-mail filters email addresses using the RFC 3696 specification, which considers the string "AAA" params injection"@domain a valid address.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.