ZendFramework potential remote code execution in zend-mail via Sendmail adapter

2024-06-0720:47:30

Google

osv.dev

zendframework

zend-mail

remote code execution

sendmail adapter

7.2 High

AI Score

Confidence

Low

JSON

When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.

CPENameOperatorVersion
zendframework/zendframeworkeq2.2.3
zendframework/zendframeworkeq2.0.1
zendframework/zendframeworkeq2.4.5
zendframework/zendframeworkeq2.4.0rc2
zendframework/zendframeworkeq2.4.8
zendframework/zendframeworkeq2.2.9
zendframework/zendframeworkeq2.3.5
zendframework/zendframeworkeq2.4.0
zendframework/zendframeworkeq2.1.4
zendframework/zendframeworkeq2.3.0

Name	Operator	Version
zendframework/zendframework	eq	2.2.3
zendframework/zendframework	eq	2.0.1
zendframework/zendframework	eq	2.4.5
zendframework/zendframework	eq	2.4.0rc2
zendframework/zendframework	eq	2.4.8
zendframework/zendframework	eq	2.2.9
zendframework/zendframework	eq	2.3.5
zendframework/zendframework	eq	2.4.0
zendframework/zendframework	eq	2.1.4
zendframework/zendframework	eq	2.3.0

Rows per page:

1-10 of 581

References

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2016-04.yaml

github.com/zendframework/zendframework

github.com/zendframework/zendframework/commit/7c1e89815f5a9c016f4b8088e59b07cb2bf99dc0

web.archive.org/web/20201107093523/https://framework.zend.com/security/advisory/ZF2016-04

7.2 High

AI Score

Confidence

Low

JSON