CVE-2017-15806: Arbitrary code execution via a crafted email address

November 15, 2017 (updated December 2, 2017)

The send function in the ezcMailMtaTransport class does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing “-X/path/to/wwwroot/file.php.”

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15806
github.com/zetacomponents/Mail/issues/58
github.com/zetacomponents/Mail/releases/tag/1.8.2

Detect and mitigate CVE-2017-15806 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →