Zend Framework issued a vulnerability alert on 2016-12-20: [CVE-2016-10034][ZF2016-04] Zend Framework: potential remote code execution in zend-mail via Sendmail adapter.
CVE-2016-10034 vulnerability affects Zend Framework 2: when the zend-mail component is used to send email via the
Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program.
Call to Action
Zend Framework manufacturer already released corresponding patches resolving the vulnerability that are available in:
- zend-mail, starting in version 2.7.2
- zend-mail, 2.4.11
- Zend Framework, 2.4.11
Plesk is not affected as it uses Zend Framework 1 which has different code. If there are some client PHP versions installed on a server with Zend Framework 2 loaded, make sure it is updated to at least 2.4.11 version.