CVE-2016-10034: Command Injection

December 30, 2016 (updated October 21, 2018)

The setFrom function in the Sendmail adapter in the zend-mail component might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" in a crafted e-mail address.

References

www.securityfocus.com/bid/95144
framework.zend.com/security/advisory/ZF2016-04
nvd.nist.gov/vuln/detail/CVE-2016-10034

Code Behaviors & Features

Detect and mitigate CVE-2016-10034 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →