cbcvebase.
CVE-2016-10034
published 2016-12-30

CVE-2016-10034: The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
38.44%
98.4th percentile
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.

Affected

14 ranges
VendorProductVersion rangeFixed in
zendzend-mail<= 2.4.10
zendzend-mail
zendzend-mail
zendzend-mail
zendzend-mail
zendzend-mail
zendzend-mail
zendzend-mail
zendzend-mail
zendzend_framework<= 2.4.10
zendframeworkzend-mail>= 0 < 2.4.112.4.11
zendframeworkzend-mail2.5 – 2.5.2
zendframeworkzend-mail2.6 – 2.6.2
zendframeworkzend-mail>= 2.7 < 2.7.22.7.2

Detection & IOCsextracted from sources · hover to see the quote

command"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com
path/var/www/cache/phpcode.php
  • Detect email addresses containing backslash-doublequote sequences (\" ) in the From/sender field, which are used to inject extra parameters into the sendmail command.
  • Monitor for sendmail/mail process invocations that include flags such as -oQ or -X (log file path injection), which indicate successful parameter injection from a crafted From address.
  • Look for outbound /dev/tcp reverse shell connections spawned from web server processes (e.g., apache, php-fpm), which are the final stage of the exploit chain.
  • Inspect contact/registration form submissions for email field values containing backslash, double-quote, and flag-like strings (e.g., -oQ, -X, -be) as indicators of injection attempts.
  • The vulnerability is triggered via the setFrom() function in the Zend-Mail Sendmail adapter; audit all call sites of setFrom() for unsanitized user-controlled input.
  • ·The vulnerability only affects the Sendmail transport adapter in zend-mail; other transports (SMTP, etc.) are not impacted. Ensure the Sendmail adapter is actually in use before prioritising this CVE.
  • ·Fixed versions are zend-mail >= 2.4.11 and >= 2.7.2, and Zend Framework >= 2.4.11. Detections targeting process arguments are only relevant on unpatched instances.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.