CVE-2017-15806
Zeta Components Mail 1.8.1 - Remote Code Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."
La función send en la clase ezcMailMtaTransport en Zeta Components Mail en versiones anteriores a la 1.8.2 no restringe correctamente el conjunto de caracteres empleados en la propiedad de ezcMail returnPath, lo que podría permitir que atacantes remotos ejecuten código arbitrario mediante una dirección de correo electrónico manipulada, tal y como demuestra una que contenga "-X/path/to/wwwroot/file.php".
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-10-23 CVE Reserved
- 2017-11-15 CVE Published
- 2023-10-26 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/101866 | Third Party Advisory | |
https://github.com/zetacomponents/Mail/issues/58 | Issue Tracking | |
https://github.com/zetacomponents/Mail/releases/tag/1.8.2 | Issue Tracking | |
https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability | Issue Tracking | |
https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong | Issue Tracking |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/43155 | 2024-08-05 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Zetacomponents Search vendor "Zetacomponents" | Mail Search vendor "Zetacomponents" for product "Mail" | < 1.8.2 Search vendor "Zetacomponents" for product "Mail" and version " < 1.8.2" | - |
Affected
|