CVE-2017-15806
CVE-2017-15806
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."
Productos afectados
n/a · n/aPoCs públicas encontradas — 2
cve_referencewww.exploit-db.com/exploits/43155/no verificadoexploitdbwww.exploit-db.com/exploits/43155no verificado⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.
¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/zetacomponents/Mail/issues/58https://github.com/zetacomponents/Mail/releases/tag/1.8.2https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/https://www.exploit-db.com/exploits/43155/http://www.securityfocus.com/bid/101866