Zeta Components Mail is prone to an arbitrary code execution vulnerability.
Successful exploits allow attackers to execute arbitrary code in the context of the host operating system. Failed exploit attempts will result in a denial of service condition.
Zeta Components Mail prior to 1.8.2 are vulnerable.
Information
Exploit
The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.
References:
- Zeta Components Homepage (Zeta Components)
- CVE-2017-15806: Critical RCE Vulnerability (malwarebenchmark)
- Mail 1.8.2 released (Github)
- Restrict characters that can be used for the returnPath property of ezcMail (CVE (Github)