Skip to content

Zeta Components Mail Arbitrary code execution via a crafted email address

High severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Apr 23, 2024

Package

composer zetacomponents/mail (Composer)

Affected versions

< 1.8.2

Patched versions

1.8.2

Description

The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."

References

Published by the National Vulnerability Database Nov 15, 2017
Published to the GitHub Advisory Database May 17, 2022
Reviewed Apr 23, 2024
Last updated Apr 23, 2024

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2017-15806

GHSA ID

GHSA-hgr8-g756-vmg9

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.