High severity8.1NVD Advisory· Published Nov 15, 2017· Updated May 13, 2026
CVE-2017-15806
CVE-2017-15806
Description
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zetacomponents/mailPackagist | < 1.8.2 | 1.8.2 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- www.securityfocus.com/bid/101866nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-hgr8-g756-vmg9ghsaADVISORY
- github.com/zetacomponents/Mail/issues/58nvdIssue TrackingThird Party AdvisoryWEB
- github.com/zetacomponents/Mail/releases/tag/1.8.2nvdIssue TrackingRelease NotesThird Party AdvisoryWEB
- kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/nvdIssue TrackingThird Party Advisory
- kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/nvdIssue TrackingThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-15806ghsaADVISORY
- www.exploit-db.com/exploits/43155/nvdIssue TrackingThird Party AdvisoryVDB Entry
- github.com/FriendsOfPHP/security-advisories/blob/master/zetacomponents/mail/CVE-2017-15806.yamlghsaWEB
- kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerabilityghsaWEB
- kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dongghsaWEB
- www.exploit-db.com/exploits/43155ghsaWEB
News mentions
0No linked articles in our index yet.