Search
Find a vulnerability
Search criteria
4 vulnerabilities by zetacomponents
CVE-2023-24108 (GCVE-0-2023-24108)
Vulnerability from nvd – Published: 2023-02-22 00:00 – Updated: 2025-03-13 19:42
VLAI
Summary
MvcTools 6d48cd6830fc1df1d8c9d61caa1805fd6a1b7737 was discovered to contain a code execution backdoor via the request package (requirements.txt). This vulnerability allows attackers to access sensitive user information and execute arbitrary code.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-912 - Hidden Functionality
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:49:08.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mirrors.neusoft.edu.cn/pypi/web/simple/request/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zetacomponents/MvcTools/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zetacomponents/MvcTools/issues/12"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-24108",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-13T19:41:36.886815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "CWE-912 Hidden Functionality",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T19:42:13.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MvcTools 6d48cd6830fc1df1d8c9d61caa1805fd6a1b7737 was discovered to contain a code execution backdoor via the request package (requirements.txt). This vulnerability allows attackers to access sensitive user information and execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://mirrors.neusoft.edu.cn/pypi/web/simple/request/"
},
{
"url": "https://github.com/zetacomponents/MvcTools/"
},
{
"url": "https://github.com/zetacomponents/MvcTools/issues/12"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-24108",
"datePublished": "2023-02-22T00:00:00.000Z",
"dateReserved": "2023-01-23T00:00:00.000Z",
"dateUpdated": "2025-03-13T19:42:13.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15806 (GCVE-0-2017-15806)
Vulnerability from nvd – Published: 2017-11-15 16:00 – Updated: 2024-08-05 20:04
VLAI
Summary
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/43155/ | exploitx_refsource_EXPLOIT-DB |
| https://kay-malwarebenchmark.github.io/blog/cve-2… | x_refsource_MISC |
| https://kay-malwarebenchmark.github.io/blog/cve-2… | x_refsource_MISC |
| https://github.com/zetacomponents/Mail/issues/58 | x_refsource_CONFIRM |
| https://github.com/zetacomponents/Mail/releases/t… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/101866 | vdb-entryx_refsource_BID |
Date Public
2017-11-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:50.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "43155",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/43155/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zetacomponents/Mail/issues/58"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zetacomponents/Mail/releases/tag/1.8.2"
},
{
"name": "101866",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101866"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing \"-X/path/to/wwwroot/file.php.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-18T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "43155",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/43155/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zetacomponents/Mail/issues/58"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zetacomponents/Mail/releases/tag/1.8.2"
},
{
"name": "101866",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101866"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing \"-X/path/to/wwwroot/file.php.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "43155",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/43155/"
},
{
"name": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/",
"refsource": "MISC",
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/"
},
{
"name": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/",
"refsource": "MISC",
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/"
},
{
"name": "https://github.com/zetacomponents/Mail/issues/58",
"refsource": "CONFIRM",
"url": "https://github.com/zetacomponents/Mail/issues/58"
},
{
"name": "https://github.com/zetacomponents/Mail/releases/tag/1.8.2",
"refsource": "CONFIRM",
"url": "https://github.com/zetacomponents/Mail/releases/tag/1.8.2"
},
{
"name": "101866",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101866"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15806",
"datePublished": "2017-11-15T16:00:00.000Z",
"dateReserved": "2017-10-23T00:00:00.000Z",
"dateUpdated": "2024-08-05T20:04:50.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24108 (GCVE-0-2023-24108)
Vulnerability from cvelistv5 – Published: 2023-02-22 00:00 – Updated: 2025-03-13 19:42
VLAI
Summary
MvcTools 6d48cd6830fc1df1d8c9d61caa1805fd6a1b7737 was discovered to contain a code execution backdoor via the request package (requirements.txt). This vulnerability allows attackers to access sensitive user information and execute arbitrary code.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-912 - Hidden Functionality
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:49:08.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mirrors.neusoft.edu.cn/pypi/web/simple/request/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zetacomponents/MvcTools/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zetacomponents/MvcTools/issues/12"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-24108",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-13T19:41:36.886815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "CWE-912 Hidden Functionality",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T19:42:13.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MvcTools 6d48cd6830fc1df1d8c9d61caa1805fd6a1b7737 was discovered to contain a code execution backdoor via the request package (requirements.txt). This vulnerability allows attackers to access sensitive user information and execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://mirrors.neusoft.edu.cn/pypi/web/simple/request/"
},
{
"url": "https://github.com/zetacomponents/MvcTools/"
},
{
"url": "https://github.com/zetacomponents/MvcTools/issues/12"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-24108",
"datePublished": "2023-02-22T00:00:00.000Z",
"dateReserved": "2023-01-23T00:00:00.000Z",
"dateUpdated": "2025-03-13T19:42:13.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15806 (GCVE-0-2017-15806)
Vulnerability from cvelistv5 – Published: 2017-11-15 16:00 – Updated: 2024-08-05 20:04
VLAI
Summary
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/43155/ | exploitx_refsource_EXPLOIT-DB |
| https://kay-malwarebenchmark.github.io/blog/cve-2… | x_refsource_MISC |
| https://kay-malwarebenchmark.github.io/blog/cve-2… | x_refsource_MISC |
| https://github.com/zetacomponents/Mail/issues/58 | x_refsource_CONFIRM |
| https://github.com/zetacomponents/Mail/releases/t… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/101866 | vdb-entryx_refsource_BID |
Date Public
2017-11-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:50.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "43155",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/43155/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zetacomponents/Mail/issues/58"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zetacomponents/Mail/releases/tag/1.8.2"
},
{
"name": "101866",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101866"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing \"-X/path/to/wwwroot/file.php.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-18T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "43155",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/43155/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zetacomponents/Mail/issues/58"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zetacomponents/Mail/releases/tag/1.8.2"
},
{
"name": "101866",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101866"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing \"-X/path/to/wwwroot/file.php.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "43155",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/43155/"
},
{
"name": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/",
"refsource": "MISC",
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/"
},
{
"name": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/",
"refsource": "MISC",
"url": "https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/"
},
{
"name": "https://github.com/zetacomponents/Mail/issues/58",
"refsource": "CONFIRM",
"url": "https://github.com/zetacomponents/Mail/issues/58"
},
{
"name": "https://github.com/zetacomponents/Mail/releases/tag/1.8.2",
"refsource": "CONFIRM",
"url": "https://github.com/zetacomponents/Mail/releases/tag/1.8.2"
},
{
"name": "101866",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101866"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15806",
"datePublished": "2017-11-15T16:00:00.000Z",
"dateReserved": "2017-10-23T00:00:00.000Z",
"dateUpdated": "2024-08-05T20:04:50.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}