ZF2016-04: Remote code execution via Sendmail adapter

December 20, 2016

A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.

References

framework.zend.com/security/advisory/ZF2016-04

Detect and mitigate ZF2016-04 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →