Zeta Components Mail CVE-2017-15806 Arbitrary Code Execution Vulnerability

Zeta Components Mail is prone to an arbitrary code execution vulnerability.

Successful exploits allow attackers to execute arbitrary code in the context of the host operating system. Failed exploit attempts will result in a denial of service condition.

Zeta Components Mail prior to 1.8.2 are vulnerable.

Information

Bugtraq ID: 101866
Class: Input Validation Error
CVE: CVE-2017-15806

Remote: Yes
Local: Yes
Published: Nov 15 2017 12:00AM
Updated: Nov 16 2017 03:07PM
Credit: Kay.
Vulnerable: Zeta Components Mail 1.8

Not Vulnerable: Zeta Components Mail 1.8.2

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• Zeta Components Homepage (Zeta Components)
  
• CVE-2017-15806: Critical RCE Vulnerability (malwarebenchmark)
  
• Mail 1.8.2 released (Github)
  
• Restrict characters that can be used for the returnPath property of ezcMail (CVE (Github)
  

Source: www.securityfocus.com