Vulnerability-Lookup - Search a vulnerability

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

CVE-2025-62763 (GCVE-0-2025-62763)

Vulnerability from cvelistv5 – Published: 2025-10-21 00:00 – Updated: 2025-12-08 15:40

Summary

Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy.

Severity ?

5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.12
	https://blog.zimbra.com/2025/10/patch-release-upd…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1…

Impacted products

	Vendor	Product	Version
	Zimbra	Collaboration	Affected: 0 , < 10.1.12 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62763",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-21T18:32:55.264230Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T18:33:57.159Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Collaboration",
          "vendor": "Zimbra",
          "versions": [
            {
              "lessThan": "10.1.12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.1.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T15:40:54.823Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.12"
        },
        {
          "url": "https://blog.zimbra.com/2025/10/patch-release-update-zimbra-10-1-12/"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.12#Security_Fixes"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-62763",
    "datePublished": "2025-10-21T00:00:00.000Z",
    "dateReserved": "2025-10-21T00:00:00.000Z",
    "dateUpdated": "2025-12-08T15:40:54.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-45515 (GCVE-0-2024-45515)

Vulnerability from cvelistv5 – Published: 2025-07-30 00:00 – Updated: 2025-07-30 18:52

Summary

An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type checks and execute arbitrary JavaScript within the victim's session.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Responsible_D…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45515",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-30T18:51:33.257262Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T18:52:05.267Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type checks and execute arbitrary JavaScript within the victim\u0027s session."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T14:14:22.274Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45515",
    "datePublished": "2025-07-30T00:00:00.000Z",
    "dateReserved": "2024-09-01T00:00:00.000Z",
    "dateUpdated": "2025-07-30T18:52:05.267Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27914 (GCVE-0-2025-27914)

Vulnerability from cvelistv5 – Published: 2025-03-12 00:00 – Updated: 2025-03-12 15:44

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. Exploitation requires a valid auth token and involves a crafted URL with manipulated query parameters that triggers XSS when accessed by a victim.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Responsible_D…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27914",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-12T15:37:30.760536Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-12T15:44:52.702Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim\u0027s session. Exploitation requires a valid auth token and involves a crafted URL with manipulated query parameters that triggers XSS when accessed by a victim."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-12T14:26:03.568Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27914",
    "datePublished": "2025-03-12T00:00:00.000Z",
    "dateReserved": "2025-03-10T00:00:00.000Z",
    "dateUpdated": "2025-03-12T15:44:52.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27915 (GCVE-0-2025-27915)

Vulnerability from cvelistv5 – Published: 2025-03-12 00:00 – Updated: 2025-10-21 22:55

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27915",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-07T03:55:56.855156Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-10-07",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:23.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "url": "https://strikeready.com/blog/0day-ics-attack-in-the-wild/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-10-07T00:00:00+00:00",
            "value": "CVE-2025-27915 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a \u003cdetails\u003e tag. This allows an attacker to run arbitrary JavaScript within the victim\u0027s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim\u0027s account, including e-mail redirection and data exfiltration."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-12T14:31:38.012Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27915",
    "datePublished": "2025-03-12T00:00:00.000Z",
    "dateReserved": "2025-03-10T00:00:00.000Z",
    "dateUpdated": "2025-10-21T22:55:23.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45518 (GCVE-0-2024-45518)

Vulnerability from cvelistv5 – Published: 2024-10-22 00:00 – Updated: 2024-10-22 18:10

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE).

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Responsible_D…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "collaboration",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThan": "10.1.1",
                "status": "affected",
                "version": "10.1.0",
                "versionType": "custom"
              },
              {
                "lessThan": "10.0.9",
                "status": "affected",
                "version": "10.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "patch41",
                "status": "affected",
                "version": "9.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "patch46",
                "status": "affected",
                "version": "8.8.15",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45518",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T18:07:12.455265Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T18:10:41.843Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-22T17:10:15.921452",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45518",
    "datePublished": "2024-10-22T00:00:00",
    "dateReserved": "2024-09-01T00:00:00",
    "dateUpdated": "2024-10-22T18:10:41.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45519 (GCVE-0-2024-45519)

Vulnerability from cvelistv5 – Published: 2024-10-02 00:00 – Updated: 2025-10-21 22:55

Summary

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Responsible_D…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:zimbra:zimbra_collaboration_suite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "zimbra_collaboration_suite",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThanOrEqual": "8.8.15",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:zimbra:zimbra_collaboration_suite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "zimbra_collaboration_suite",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThanOrEqual": "9.0.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:zimbra:zimbra_collaboration_suite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "zimbra_collaboration_suite",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThan": "10.0.9",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:zimbra:zimbra_collaboration_suite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "zimbra_collaboration_suite",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThan": "10.1.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45519",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-03T13:44:03.899299Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2024-10-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45519"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-78",
                "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:43.984Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://blog.projectdiscovery.io/zimbra-remote-code-execution/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45519"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2024-10-03T00:00:00+00:00",
            "value": "CVE-2024-45519 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-22T21:01:35.614Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45519",
    "datePublished": "2024-10-02T00:00:00.000Z",
    "dateReserved": "2024-09-01T00:00:00.000Z",
    "dateUpdated": "2025-10-21T22:55:43.984Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-27443 (GCVE-0-2024-27443)

Vulnerability from cvelistv5 – Published: 2024-08-12 00:00 – Updated: 2025-10-21 22:55

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-27443",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-21T03:55:36.220790Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-05-19",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:48.688Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://www.welivesecurity.com/en/eset-research/operation-roundpress/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-05-19T00:00:00+00:00",
            "value": "CVE-2024-27443 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim\u0027s session, potentially leading to execution of arbitrary JavaScript code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T15:03:02.447Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-27443",
    "datePublished": "2024-08-12T00:00:00.000Z",
    "dateReserved": "2024-02-26T00:00:00.000Z",
    "dateUpdated": "2025-10-21T22:55:48.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-33536 (GCVE-0-2024-33536)

Vulnerability from cvelistv5 – Published: 2024-08-12 00:00 – Updated: 2025-03-25 16:10

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file, accessible externally, and crafting a URL containing its location in the res parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-33536",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-12T15:33:06.891365Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-25T16:10:43.367Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user\u0027s browser session. By uploading a malicious JavaScript file, accessible externally, and crafting a URL containing its location in the res parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T14:56:33.319Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-33536",
    "datePublished": "2024-08-12T00:00:00.000Z",
    "dateReserved": "2024-04-24T00:00:00.000Z",
    "dateUpdated": "2025-03-25T16:10:43.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-27442 (GCVE-0-2024-27442)

Vulnerability from cvelistv5 – Published: 2024-08-12 00:00 – Updated: 2024-08-13 14:44

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:zimbra:collaboration:9.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "collaboration",
            "vendor": "zimbra",
            "versions": [
              {
                "status": "affected",
                "version": "9.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:zimbra:collaboration:10.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "collaboration",
            "vendor": "zimbra",
            "versions": [
              {
                "status": "affected",
                "version": "10.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-27442",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-13T14:18:27.711384Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-269",
                "description": "CWE-269 Improper Privilege Management",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-13T14:44:13.521Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T14:58:03.586556",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-27442",
    "datePublished": "2024-08-12T00:00:00",
    "dateReserved": "2024-02-26T00:00:00",
    "dateUpdated": "2024-08-13T14:44:13.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-33535 (GCVE-0-2024-33535)

Vulnerability from cvelistv5 – Published: 2024-08-12 00:00 – Updated: 2025-03-19 15:58

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-33535",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-12T18:13:11.747339Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-19T15:58:06.291Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T14:57:05.961Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-33535",
    "datePublished": "2024-08-12T00:00:00.000Z",
    "dateReserved": "2024-04-24T00:00:00.000Z",
    "dateUpdated": "2025-03-19T15:58:06.291Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-62763 (GCVE-0-2025-62763)

Vulnerability from nvd – Published: 2025-10-21 00:00 – Updated: 2025-12-08 15:40

Summary

Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy.

Severity ?

5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.12
	https://blog.zimbra.com/2025/10/patch-release-upd…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1…

Impacted products

	Vendor	Product	Version
	Zimbra	Collaboration	Affected: 0 , < 10.1.12 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62763",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-21T18:32:55.264230Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T18:33:57.159Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Collaboration",
          "vendor": "Zimbra",
          "versions": [
            {
              "lessThan": "10.1.12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.1.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T15:40:54.823Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.12"
        },
        {
          "url": "https://blog.zimbra.com/2025/10/patch-release-update-zimbra-10-1-12/"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.12#Security_Fixes"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-62763",
    "datePublished": "2025-10-21T00:00:00.000Z",
    "dateReserved": "2025-10-21T00:00:00.000Z",
    "dateUpdated": "2025-12-08T15:40:54.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-45515 (GCVE-0-2024-45515)

Vulnerability from nvd – Published: 2025-07-30 00:00 – Updated: 2025-07-30 18:52

Summary

An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type checks and execute arbitrary JavaScript within the victim's session.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Responsible_D…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45515",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-30T18:51:33.257262Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T18:52:05.267Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type checks and execute arbitrary JavaScript within the victim\u0027s session."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T14:14:22.274Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45515",
    "datePublished": "2025-07-30T00:00:00.000Z",
    "dateReserved": "2024-09-01T00:00:00.000Z",
    "dateUpdated": "2025-07-30T18:52:05.267Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27914 (GCVE-0-2025-27914)

Vulnerability from nvd – Published: 2025-03-12 00:00 – Updated: 2025-03-12 15:44

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. Exploitation requires a valid auth token and involves a crafted URL with manipulated query parameters that triggers XSS when accessed by a victim.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Responsible_D…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27914",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-12T15:37:30.760536Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-12T15:44:52.702Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim\u0027s session. Exploitation requires a valid auth token and involves a crafted URL with manipulated query parameters that triggers XSS when accessed by a victim."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-12T14:26:03.568Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27914",
    "datePublished": "2025-03-12T00:00:00.000Z",
    "dateReserved": "2025-03-10T00:00:00.000Z",
    "dateUpdated": "2025-03-12T15:44:52.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27915 (GCVE-0-2025-27915)

Vulnerability from nvd – Published: 2025-03-12 00:00 – Updated: 2025-10-21 22:55

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27915",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-07T03:55:56.855156Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-10-07",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:23.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "url": "https://strikeready.com/blog/0day-ics-attack-in-the-wild/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-10-07T00:00:00+00:00",
            "value": "CVE-2025-27915 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a \u003cdetails\u003e tag. This allows an attacker to run arbitrary JavaScript within the victim\u0027s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim\u0027s account, including e-mail redirection and data exfiltration."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-12T14:31:38.012Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27915",
    "datePublished": "2025-03-12T00:00:00.000Z",
    "dateReserved": "2025-03-10T00:00:00.000Z",
    "dateUpdated": "2025-10-21T22:55:23.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45518 (GCVE-0-2024-45518)

Vulnerability from nvd – Published: 2024-10-22 00:00 – Updated: 2024-10-22 18:10

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE).

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Responsible_D…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "collaboration",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThan": "10.1.1",
                "status": "affected",
                "version": "10.1.0",
                "versionType": "custom"
              },
              {
                "lessThan": "10.0.9",
                "status": "affected",
                "version": "10.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "patch41",
                "status": "affected",
                "version": "9.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "patch46",
                "status": "affected",
                "version": "8.8.15",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45518",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T18:07:12.455265Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T18:10:41.843Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-22T17:10:15.921452",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45518",
    "datePublished": "2024-10-22T00:00:00",
    "dateReserved": "2024-09-01T00:00:00",
    "dateUpdated": "2024-10-22T18:10:41.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45519 (GCVE-0-2024-45519)

Vulnerability from nvd – Published: 2024-10-02 00:00 – Updated: 2025-10-21 22:55

Summary

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Security_Center
	https://wiki.zimbra.com/wiki/Zimbra_Responsible_D…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:zimbra:zimbra_collaboration_suite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "zimbra_collaboration_suite",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThanOrEqual": "8.8.15",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:zimbra:zimbra_collaboration_suite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "zimbra_collaboration_suite",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThanOrEqual": "9.0.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:zimbra:zimbra_collaboration_suite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "zimbra_collaboration_suite",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThan": "10.0.9",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:zimbra:zimbra_collaboration_suite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "zimbra_collaboration_suite",
            "vendor": "zimbra",
            "versions": [
              {
                "lessThan": "10.1.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45519",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-03T13:44:03.899299Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2024-10-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45519"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-78",
                "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:43.984Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://blog.projectdiscovery.io/zimbra-remote-code-execution/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45519"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2024-10-03T00:00:00+00:00",
            "value": "CVE-2024-45519 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-22T21:01:35.614Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45519",
    "datePublished": "2024-10-02T00:00:00.000Z",
    "dateReserved": "2024-09-01T00:00:00.000Z",
    "dateUpdated": "2025-10-21T22:55:43.984Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-27443 (GCVE-0-2024-27443)

Vulnerability from nvd – Published: 2024-08-12 00:00 – Updated: 2025-10-21 22:55

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-27443",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-21T03:55:36.220790Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-05-19",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:48.688Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://www.welivesecurity.com/en/eset-research/operation-roundpress/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-05-19T00:00:00+00:00",
            "value": "CVE-2024-27443 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim\u0027s session, potentially leading to execution of arbitrary JavaScript code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T15:03:02.447Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-27443",
    "datePublished": "2024-08-12T00:00:00.000Z",
    "dateReserved": "2024-02-26T00:00:00.000Z",
    "dateUpdated": "2025-10-21T22:55:48.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-33536 (GCVE-0-2024-33536)

Vulnerability from nvd – Published: 2024-08-12 00:00 – Updated: 2025-03-25 16:10

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file, accessible externally, and crafting a URL containing its location in the res parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-33536",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-12T15:33:06.891365Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-25T16:10:43.367Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user\u0027s browser session. By uploading a malicious JavaScript file, accessible externally, and crafting a URL containing its location in the res parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T14:56:33.319Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-33536",
    "datePublished": "2024-08-12T00:00:00.000Z",
    "dateReserved": "2024-04-24T00:00:00.000Z",
    "dateUpdated": "2025-03-25T16:10:43.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-27442 (GCVE-0-2024-27442)

Vulnerability from nvd – Published: 2024-08-12 00:00 – Updated: 2024-08-13 14:44

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:zimbra:collaboration:9.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "collaboration",
            "vendor": "zimbra",
            "versions": [
              {
                "status": "affected",
                "version": "9.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:zimbra:collaboration:10.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "collaboration",
            "vendor": "zimbra",
            "versions": [
              {
                "status": "affected",
                "version": "10.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-27442",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-13T14:18:27.711384Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-269",
                "description": "CWE-269 Improper Privilege Management",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-13T14:44:13.521Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T14:58:03.586556",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-27442",
    "datePublished": "2024-08-12T00:00:00",
    "dateReserved": "2024-02-26T00:00:00",
    "dateUpdated": "2024-08-13T14:44:13.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-33535 (GCVE-0-2024-33535)

Vulnerability from nvd – Published: 2024-08-12 00:00 – Updated: 2025-03-19 15:58

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0…
	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-33535",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-12T18:13:11.747339Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-19T15:58:06.291Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T14:57:05.961Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-33535",
    "datePublished": "2024-08-12T00:00:00.000Z",
    "dateReserved": "2024-04-24T00:00:00.000Z",
    "dateUpdated": "2025-03-19T15:58:06.291Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

FKIE_CVE-2024-45515

Vulnerability from fkie_nvd - Published: 2025-07-30 15:15 - Updated: 2025-08-07 18:16

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type checks and execute arbitrary JavaScript within the victim's session.

References

URL	Tags
cve@mitre.org	https://wiki.zimbra.com/wiki/Security_Center	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy	Product
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories	Vendor Advisory

Impacted products

	Vendor	Product	Version
	zimbra	collaboration	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "525A8C18-B93E-462B-B714-5536C419D673",
              "versionEndIncluding": "10.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type checks and execute arbitrary JavaScript within the victim\u0027s session."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) hasta la versi\u00f3n 10.1. Existe una vulnerabilidad de cross-site scripting (XSS) en el correo web de Zimbra debido a una validaci\u00f3n insuficiente de los metadatos del tipo de contenido al importar archivos al malet\u00edn. Los atacantes pueden explotar este problema creando un archivo con metadatos manipulados, lo que les permite eludir las comprobaciones del tipo de contenido y ejecutar JavaScript arbitrario en la sesi\u00f3n de la v\u00edctima."
    }
  ],
  "id": "CVE-2024-45515",
  "lastModified": "2025-08-07T18:16:45.977",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-30T15:15:32.373",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2025-27915

Vulnerability from fkie_nvd - Published: 2025-03-12 15:15 - Updated: 2025-11-04 16:45

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

References

URL	Tags
cve@mitre.org	https://wiki.zimbra.com/wiki/Security_Center	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes	Release Notes
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://strikeready.com/blog/0day-ics-attack-in-the-wild/	Exploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915	US Government Resource

Impacted products

Vendor	Product	Version
synacor	zimbra_collaboration_suite	*
synacor	zimbra_collaboration_suite	*
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0

JSON

To clipboard

{
  "cisaActionDue": "2025-10-28",
  "cisaExploitAdd": "2025-10-07",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F7A8D86-7352-45D1-A809-D19FCC4A4ED0",
              "versionEndExcluding": "10.0.13",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD5597BA-6D2C-4E3A-AA67-0F29DA04CA76",
              "versionEndExcluding": "10.1.5",
              "versionStartIncluding": "10.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p41:*:*:*:*:*:*",
              "matchCriteriaId": "408E1BFD-16AA-458C-B040-04870522FEBD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p42:*:*:*:*:*:*",
              "matchCriteriaId": "205B2CDC-6423-4FD9-9FD0-847ADEB64003",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p43:*:*:*:*:*:*",
              "matchCriteriaId": "CAE21C69-F080-4CE2-A39E-BF3509FB2005",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a \u003cdetails\u003e tag. This allows an attacker to run arbitrary JavaScript within the victim\u0027s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim\u0027s account, including e-mail redirection and data exfiltration."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0, 10.0 y 10.1. Existe una vulnerabilidad de cross site scripting (XSS) almacenado en el cliente web cl\u00e1sico debido a una depuraci\u00f3n insuficiente del contenido HTML en los archivos ICS. Cuando un usuario visualiza un mensaje de correo electr\u00f3nico que contiene una entrada ICS maliciosa, su JavaScript incrustado se ejecuta mediante un evento ontoggle dentro de una etiqueta . Esto permite a un atacante ejecutar JavaScript arbitrario en la sesi\u00f3n de la v\u00edctima, lo que podr\u00eda provocar acciones no autorizadas, como configurar filtros de correo electr\u00f3nico para redirigir los mensajes a una direcci\u00f3n controlada por el atacante. Como resultado, un atacante puede realizar acciones no autorizadas en la cuenta de la v\u00edctima, como la redirecci\u00f3n de correo electr\u00f3nico y la exfiltraci\u00f3n de datos."
    }
  ],
  "id": "CVE-2025-27915",
  "lastModified": "2025-11-04T16:45:11.053",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-12T15:15:39.900",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://strikeready.com/blog/0day-ics-attack-in-the-wild/"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2025-27914

Vulnerability from fkie_nvd - Published: 2025-03-12 15:15 - Updated: 2025-04-02 20:38

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. Exploitation requires a valid auth token and involves a crafted URL with manipulated query parameters that triggers XSS when accessed by a victim.

References

	URL	Tags
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Security_Fixes	Release Notes
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy	Technical Description

Impacted products

Vendor	Product	Version
zimbra	collaboration	*
zimbra	collaboration	9.0.0
zimbra	collaboration	10.1.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C529F387-A3AD-4DA4-97BA-9AF70BFE4478",
              "versionEndExcluding": "10.0.11",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "685D9652-2934-4C13-8B36-40582C79BFC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:10.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6198F75A-353D-4079-91DE-A7CC22DFE8B0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim\u0027s session. Exploitation requires a valid auth token and involves a crafted URL with manipulated query parameters that triggers XSS when accessed by a victim."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0, 10.0 y 10.1. Existe una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en el endpoint /h/rest, que permite a atacantes autenticados inyectar y ejecutar JavaScript arbitrario en la sesi\u00f3n de la v\u00edctima. La explotaci\u00f3n requiere un token de autenticaci\u00f3n v\u00e1lido e implica una URL manipulada con par\u00e1metros de consulta manipulados que activa XSS al acceder a ella."
    }
  ],
  "id": "CVE-2025-27914",
  "lastModified": "2025-04-02T20:38:06.430",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-12T15:15:39.800",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Technical Description"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-45518

Vulnerability from fkie_nvd - Published: 2024-10-22 17:15 - Updated: 2024-10-30 21:23

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE).

References

URL	Tags
cve@mitre.org	https://wiki.zimbra.com/wiki/Security_Center	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy	Product
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories	Vendor Advisory

Impacted products

Vendor	Product	Version
zimbra	collaboration	*
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	8.8.15
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	10.1.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "18D6B3CE-07F4-45F9-A5C8-3CA0B1395039",
              "versionEndExcluding": "10.0.9",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*",
              "matchCriteriaId": "1B17C1A7-0F0A-4E7C-8C0C-0BBB0BF66C82",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p1:*:*:*:*:*:*",
              "matchCriteriaId": "BA48C450-201C-4398-AB65-EF6F95FB0380",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p10:*:*:*:*:*:*",
              "matchCriteriaId": "5F759114-CF2D-48BF-8D09-EBE8D1ED1949",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p11:*:*:*:*:*:*",
              "matchCriteriaId": "AE8BD950-24A2-4AFF-B7EE-6EE115BD75D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p12:*:*:*:*:*:*",
              "matchCriteriaId": "C43634F5-2946-44D2-8A50-B717374A8126",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p13:*:*:*:*:*:*",
              "matchCriteriaId": "20315895-5410-4B88-B2D9-E9C5D79A64DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p14:*:*:*:*:*:*",
              "matchCriteriaId": "BF405091-A832-4945-87EC-AA525F37DF91",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p15:*:*:*:*:*:*",
              "matchCriteriaId": "C9B6FFA8-CFD2-47C6-9475-79210CB9AA84",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p16:*:*:*:*:*:*",
              "matchCriteriaId": "964CA714-937C-4FC0-A1E9-07F846C786BD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p17:*:*:*:*:*:*",
              "matchCriteriaId": "DAF8F155-1406-46ED-A81F-BCC4CE525F43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p18:*:*:*:*:*:*",
              "matchCriteriaId": "56A8F56B-3457-4C19-B213-3B04FEE8D7A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p19:*:*:*:*:*:*",
              "matchCriteriaId": "B4F8D255-3F91-45FF-9133-4023BA688F9E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p2:*:*:*:*:*:*",
              "matchCriteriaId": "37BC4DF5-D111-4295-94FC-AA8929CDF2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p20:*:*:*:*:*:*",
              "matchCriteriaId": "A9D50108-0404-4791-8057-DB1786D311C8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p21:*:*:*:*:*:*",
              "matchCriteriaId": "F2A7E53F-8EAC-4DA9-8EAE-117759EFABEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p22:*:*:*:*:*:*",
              "matchCriteriaId": "858727DB-AE6F-435D-B8FD-6C94C3400E40",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p23:*:*:*:*:*:*",
              "matchCriteriaId": "3FA6AC95-288C-4ABA-B2A7-47E4134EDC31",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p24:*:*:*:*:*:*",
              "matchCriteriaId": "4AA82728-5901-482A-83CF-F883D4B6A8E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p25:*:*:*:*:*:*",
              "matchCriteriaId": "7E762792-542E-43D0-A95A-E7F48F328A28",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p26:*:*:*:*:*:*",
              "matchCriteriaId": "6DD4641A-EC23-4B1A-8729-9AECD70390AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p27:*:*:*:*:*:*",
              "matchCriteriaId": "E0E3E825-1D1E-4ECD-B306-DD8BDCDD0547",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p28:*:*:*:*:*:*",
              "matchCriteriaId": "840F98DC-57F1-4054-A6C1-6E7F0340AC2C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p29:*:*:*:*:*:*",
              "matchCriteriaId": "EE2A1305-68B7-4CB7-837F-4EDE2EBED507",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p3:*:*:*:*:*:*",
              "matchCriteriaId": "21768A61-7578-4EEC-A23B-FEC10CAA9EDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p30:*:*:*:*:*:*",
              "matchCriteriaId": "CA758408-4302-43BC-BDC9-1B70EC5D2FED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p31:*:*:*:*:*:*",
              "matchCriteriaId": "822CDEBC-0650-4970-B46F-06F505993086",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p32:*:*:*:*:*:*",
              "matchCriteriaId": "971B5005-4676-4D93-A7DD-6AFDC8D0BEEB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p33:*:*:*:*:*:*",
              "matchCriteriaId": "81BC6A7F-D014-44B3-9361-20DB256D3C8D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p34:*:*:*:*:*:*",
              "matchCriteriaId": "6A3DC694-4CCC-4E9F-B6E9-891B1DF115C8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3810385E-95E8-491E-8281-394125DB04F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p37:*:*:*:*:*:*",
              "matchCriteriaId": "C08B5A0A-2935-4FEB-9133-4B35E1AB0CDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p4:*:*:*:*:*:*",
              "matchCriteriaId": "661403E7-1D65-4710-8413-47D74FF65BE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p40:*:*:*:*:*:*",
              "matchCriteriaId": "4CD3AEF8-0667-40B9-BCAA-6C9CA7D9C495",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p41:*:*:*:*:*:*",
              "matchCriteriaId": "A0F8BB82-32E4-463D-B719-8E5186CAAECC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p42:*:*:*:*:*:*",
              "matchCriteriaId": "9605C0CF-E5DF-497A-B298-D64ABCDAF88E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p43:*:*:*:*:*:*",
              "matchCriteriaId": "0A77DFFA-CBBF-4F8C-9D8E-68CC115B4D2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p44:*:*:*:*:*:*",
              "matchCriteriaId": "4E7EBCB8-3042-4BA9-B34A-E1C95F111B38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p45:*:*:*:*:*:*",
              "matchCriteriaId": "5DEF465F-35ED-49ED-A86C-AE1C7FF76AFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p5:*:*:*:*:*:*",
              "matchCriteriaId": "0695D2E0-45B3-493C-BA6D-471B90C0ACC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p6:*:*:*:*:*:*",
              "matchCriteriaId": "714FAFE6-68AE-4304-B040-48BC46F85A2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p7:*:*:*:*:*:*",
              "matchCriteriaId": "73FC2D2D-8BBD-4259-8B35-0D9BFA40567B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p8:*:*:*:*:*:*",
              "matchCriteriaId": "AB97E9E6-CC4A-458D-B731-6D51130B942C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p9:*:*:*:*:*:*",
              "matchCriteriaId": "BA688C43-846A-4C4A-AEDB-113D967D3D73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "685D9652-2934-4C13-8B36-40582C79BFC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p0:*:*:*:*:*:*",
              "matchCriteriaId": "5E4DF01A-1AA9-47E8-82FD-65A02ECA1376",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "BDE59185-B917-4A81-8DE4-C65A079F52FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "BA3ED95F-95F2-4676-8EAF-B4B9EB64B260",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "4BB93336-CC3C-4B7F-B194-7DED036ABBAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "876F1675-F65C-4E86-ADBD-36EB8D8A997D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "2306F526-9C56-4A57-AA9B-02F2D6058C97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "F9EA2A61-67AA-4B7E-BC6E-80EB1363EF85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "C77A35B7-96F6-43A7-A747-C6AEEDE961E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "DC35882B-E709-42D8-8800-F1B734CEAFC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "B7A47276-F241-4A68-9458-E1481EBDC5E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "12D0D469-6C9B-4B66-9581-DC319773238A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "40629BEB-DF4B-4FB8-8D3D-7BAC43C90766",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "9503131F-CC23-4545-AE9C-9714B287CC25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "B4CE2D12-AD31-4FED-AD0F-ADF64E92E1B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "8113A4E3-AA96-4382-815D-6FD88BA42EC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "DC8C28E0-6C51-41EE-A7B2-DB185D1D8FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "BC19F11D-23D9-429D-A957-D67F23A40A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "AAFA2EE7-C965-4F27-8CAE-E607A9F202AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "1D09DCF6-1C8F-4CA1-B7D4-AFDD4EB35771",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "C52705E6-2C6B-47BC-A0CD-F6AAE0BFC302",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "D659AE6A-591E-4D5B-9781-9648250F5576",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E4054E3E-561C-4B1C-A615-3CCE5CB69D77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "4FA0E9C4-25E4-4CD6-B88A-02B413385866",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "5D6F7CA3-C36A-466C-8FAD-D0B3CEF01F0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "9684AC81-B557-4292-8402-AE55CB2E613C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "32A352C4-0E9C-436F-ADA7-D93492A18037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "ABCA8698-AB88-4A6D-BD2B-DB22AEED6536",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "33F50D8C-7027-4A8D-8E95-98C224283772",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "CEE1CBDD-F205-4EA7-9E8B-5527BC134C74",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "82000BA4-1781-4312-A7BD-92EC94D137AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "4B52D301-2559-457A-8FFB-F0915299355A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "7215AE2C-8A33-4AB9-88D5-7C8CD11E806C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:*:*:*:*:*:*",
              "matchCriteriaId": "8D859F77-8E39-4D46-BC90-C5C1D805A666",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "CDC810C7-45DA-4BDF-9138-2D3B2750243E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "E09D95A4-764D-4E0B-8605-1D94FD548AB2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:10.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6198F75A-353D-4079-91DE-A7CC22DFE8B0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE)."
    },
    {
      "lang": "es",
      "value": " Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 10.1.x anterior a 10.1.1, 10.0.x anterior a 10.0.9, 9.0.0 anterior al parche 41 y 8.8.15 anterior al parche 46. Permite a los usuarios autenticados explotar Server-Side Request Forgery (SSRF) debido a una desinfecci\u00f3n de entrada incorrecta y una lista blanca de dominios mal configurada. Este problema permite que se env\u00eden solicitudes HTTP no autorizadas a servicios internos, lo que puede provocar una ejecuci\u00f3n de c\u00f3digo remoto (RCE) al encadenar la inyecci\u00f3n de comandos dentro del servicio interno. Cuando se combina con las vulnerabilidades XSS existentes, este problema de SSRF puede facilitar a\u00fan m\u00e1s la ejecuci\u00f3n de c\u00f3digo remoto (RCE)."
    }
  ],
  "id": "CVE-2024-45518",
  "lastModified": "2024-10-30T21:23:59.893",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-22T17:15:03.837",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-45519

Vulnerability from fkie_nvd - Published: 2024-10-02 22:15 - Updated: 2025-11-04 16:45

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

References

URL	Tags
cve@mitre.org	https://wiki.zimbra.com/wiki/Security_Center	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy	Not Applicable
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://blog.projectdiscovery.io/zimbra-remote-code-execution/	Exploit
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45519	US Government Resource

Impacted products

Vendor	Product	Version
synacor	zimbra_collaboration_suite	*
synacor	zimbra_collaboration_suite	*
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	10.1.0

JSON

To clipboard

{
  "cisaActionDue": "2024-10-24",
  "cisaExploitAdd": "2024-10-03",
  "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8BF8662-919E-4A40-917F-FEA0EA73491C",
              "versionEndExcluding": "8.8.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC78301D-6403-496F-A349-1C7BAC37797D",
              "versionEndExcluding": "10.0.9",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*",
              "matchCriteriaId": "9E39A855-C0EB-4448-AE96-177757C40C66",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*",
              "matchCriteriaId": "FFE7BE6E-7A9A-40C7-B236-7A21103E9F41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*",
              "matchCriteriaId": "B5924FFC-BA19-48B3-BF4D-0C2DB3FCD407",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*",
              "matchCriteriaId": "7822D273-C2CB-4EFE-B929-3D34C65E005E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*",
              "matchCriteriaId": "F81528E8-FE3A-4C48-A747-34A3FF28BCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*",
              "matchCriteriaId": "D772D4BA-9ED6-492C-A0D3-0AF4F3D49037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*",
              "matchCriteriaId": "C2A468FE-B59B-4CE9-B9B2-C836EEAFA3E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*",
              "matchCriteriaId": "04BECDE0-F082-49FB-ACA2-5C808902AA17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*",
              "matchCriteriaId": "56558FD4-4391-4199-BA6B-B53F5DC30144",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*",
              "matchCriteriaId": "69A530D3-B84E-427B-BC92-64BBFEF331BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*",
              "matchCriteriaId": "3C0DCE7F-85A4-44C6-88C8-380B0BBBFA7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*",
              "matchCriteriaId": "180AF8B6-55AE-460C-B613-37FB697B5325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*",
              "matchCriteriaId": "6FCB5528-70FD-4525-A78B-D5537609331A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*",
              "matchCriteriaId": "34B07279-A26A-4EB1-8B33-885AD854018B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*",
              "matchCriteriaId": "97402ADA-AB05-4A92-920D-EA5363424FDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*",
              "matchCriteriaId": "697A1D34-FF0C-4F9E-8E91-34404A366D70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*",
              "matchCriteriaId": "9030D096-87A1-4AFF-BB7C-CE71990005B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*",
              "matchCriteriaId": "F211A8B1-E33E-49BE-9C18-31B1902EB4FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*",
              "matchCriteriaId": "4152CEA2-9DC1-4567-BAB3-9C36F74F77EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*",
              "matchCriteriaId": "9BC02B35-7FC4-41AB-8D2E-2CD1896D84C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*",
              "matchCriteriaId": "0294CB8B-B0AF-4A5C-B6B2-33F5BFFFBD4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*",
              "matchCriteriaId": "968A75B4-6D23-4B83-A8B5-777D8F151E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*",
              "matchCriteriaId": "5E11BC24-56A3-4CAB-B0B2-D2430CD80767",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*",
              "matchCriteriaId": "EF2EE32D-04A5-46EA-92F0-3C8D74A4B82A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*",
              "matchCriteriaId": "50FB0099-0495-4735-9398-7F7E657F459B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31:*:*:*:*:*:*",
              "matchCriteriaId": "FAE2858A-6D9E-4D79-AFA6-69C44D6D8C75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31.1:*:*:*:*:*:*",
              "matchCriteriaId": "5C1D9EB8-E3FE-4BF3-8517-603BA4B126C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p32:*:*:*:*:*:*",
              "matchCriteriaId": "50A296BC-6DA4-41B2-923A-0633566AD6C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C066ED38-1175-48FB-BE05-BE0C19E9EBE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p34:*:*:*:*:*:*",
              "matchCriteriaId": "89B3EF32-B474-44DB-AE30-CD308CDC5A77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p35:*:*:*:*:*:*",
              "matchCriteriaId": "A9ECCB00-F3F4-4EB7-9FD0-4CB64678B129",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p36:*:*:*:*:*:*",
              "matchCriteriaId": "37739F7A-490F-42A8-B97D-D09A3EDB85DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p37:*:*:*:*:*:*",
              "matchCriteriaId": "518662DA-C0F3-4875-86D7-5ED2B2496CC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p38:*:*:*:*:*:*",
              "matchCriteriaId": "64B28BE5-F35D-4AB0-A321-CEAE21BC26FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p39:*:*:*:*:*:*",
              "matchCriteriaId": "9DFBABD6-70F2-4E3B-A9C0-82DE76D48542",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*",
              "matchCriteriaId": "BB3C28CA-4C22-423E-B1C7-CBAFBB91F4DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p40:*:*:*:*:*:*",
              "matchCriteriaId": "0D2D6DBD-560A-4F8E-B2CC-67A564C460A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p41:*:*:*:*:*:*",
              "matchCriteriaId": "BFBC20F8-7F50-4D9D-8442-3397DED4B18B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p42:*:*:*:*:*:*",
              "matchCriteriaId": "D175FCA2-F902-4470-BFF6-5EC2F31BB06D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p43:*:*:*:*:*:*",
              "matchCriteriaId": "5516ED19-5648-4BC8-A9C2-6EE41B1794C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p44:*:*:*:*:*:*",
              "matchCriteriaId": "28D5F229-EE33-42C4-A26D-23BC760720A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p45:*:*:*:*:*:*",
              "matchCriteriaId": "A00BE897-F462-4193-BF51-4381B04C076B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*",
              "matchCriteriaId": "A9A1314A-20C8-42D7-9387-D914999EEAF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*",
              "matchCriteriaId": "CEF091C5-8DC6-4A41-9E84-F53BE703F71B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*",
              "matchCriteriaId": "ACD65C28-9716-4073-8613-C4AF12684760",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*",
              "matchCriteriaId": "2C58AFFF-848F-490D-A95C-03A267C2DC98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*",
              "matchCriteriaId": "B62DC188-89A8-4AEA-90AE-563F0BBEFC54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C936B30B-C717-442B-8656-CF9EE3FC7C10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands."
    },
    {
      "lang": "es",
      "value": "El servicio postjournal en Zimbra Collaboration (ZCS) anterior a la versi\u00f3n 8.8.15 parche 46, 9 anterior a la versi\u00f3n 9.0.0 parche 41, 10 anterior a la versi\u00f3n 10.0.9 y 10.1 anterior a la versi\u00f3n 10.1.1 a veces permite que usuarios no autenticados ejecuten comandos."
    }
  ],
  "id": "CVE-2024-45519",
  "lastModified": "2025-11-04T16:45:03.550",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "cve@mitre.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-02T22:15:02.770",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit"
      ],
      "url": "https://blog.projectdiscovery.io/zimbra-remote-code-execution/"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45519"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-33535

Vulnerability from fkie_nvd - Published: 2024-08-12 15:15 - Updated: 2025-03-19 16:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory.

References

	URL	Tags
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes	Release Notes
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes	Release Notes

Impacted products

Vendor	Product	Version
zimbra	collaboration	*
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5BC091A-EE5A-4D34-9D2E-754D3C2FCA3F",
              "versionEndExcluding": "10.0.8",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "685D9652-2934-4C13-8B36-40582C79BFC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p0:*:*:*:*:*:*",
              "matchCriteriaId": "5E4DF01A-1AA9-47E8-82FD-65A02ECA1376",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "BDE59185-B917-4A81-8DE4-C65A079F52FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "BA3ED95F-95F2-4676-8EAF-B4B9EB64B260",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "4BB93336-CC3C-4B7F-B194-7DED036ABBAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "876F1675-F65C-4E86-ADBD-36EB8D8A997D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "2306F526-9C56-4A57-AA9B-02F2D6058C97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "F9EA2A61-67AA-4B7E-BC6E-80EB1363EF85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "C77A35B7-96F6-43A7-A747-C6AEEDE961E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "DC35882B-E709-42D8-8800-F1B734CEAFC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "B7A47276-F241-4A68-9458-E1481EBDC5E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "12D0D469-6C9B-4B66-9581-DC319773238A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "40629BEB-DF4B-4FB8-8D3D-7BAC43C90766",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "9503131F-CC23-4545-AE9C-9714B287CC25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "B4CE2D12-AD31-4FED-AD0F-ADF64E92E1B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "8113A4E3-AA96-4382-815D-6FD88BA42EC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "DC8C28E0-6C51-41EE-A7B2-DB185D1D8FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "BC19F11D-23D9-429D-A957-D67F23A40A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "AAFA2EE7-C965-4F27-8CAE-E607A9F202AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "1D09DCF6-1C8F-4CA1-B7D4-AFDD4EB35771",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "C52705E6-2C6B-47BC-A0CD-F6AAE0BFC302",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FD1DCE2B-D944-43AE-AD0E-9282DE6D618F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "2079B9F8-128B-487D-A965-E8B37FDF6304",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "9679FD62-815E-47A8-8552-D28CE48B82B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "D659AE6A-591E-4D5B-9781-9648250F5576",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E4054E3E-561C-4B1C-A615-3CCE5CB69D77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "4FA0E9C4-25E4-4CD6-B88A-02B413385866",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "5D6F7CA3-C36A-466C-8FAD-D0B3CEF01F0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "9684AC81-B557-4292-8402-AE55CB2E613C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "32A352C4-0E9C-436F-ADA7-D93492A18037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "ABCA8698-AB88-4A6D-BD2B-DB22AEED6536",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "33F50D8C-7027-4A8D-8E95-98C224283772",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "82000BA4-1781-4312-A7BD-92EC94D137AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "4B52D301-2559-457A-8FFB-F0915299355A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "7215AE2C-8A33-4AB9-88D5-7C8CD11E806C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:*:*:*:*:*:*",
              "matchCriteriaId": "8D859F77-8E39-4D46-BC90-C5C1D805A666",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "CDC810C7-45DA-4BDF-9138-2D3B2750243E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "E09D95A4-764D-4E0B-8605-1D94FD548AB2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0 y 10.0. La vulnerabilidad implica la inclusi\u00f3n de archivos locales (LFI) no autenticados en una aplicaci\u00f3n web, lo que afecta espec\u00edficamente el manejo del par\u00e1metro de paquetes. Los atacantes pueden aprovechar esta falla para incluir archivos locales arbitrarios sin autenticaci\u00f3n, lo que podr\u00eda conducir a un acceso no autorizado a informaci\u00f3n confidencial. La vulnerabilidad se limita a archivos dentro de un directorio espec\u00edfico."
    }
  ],
  "id": "CVE-2024-33535",
  "lastModified": "2025-03-19T16:15:24.753",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-08-12T15:15:20.570",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-33536

Vulnerability from fkie_nvd - Published: 2024-08-12 15:15 - Updated: 2025-03-25 17:15

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file, accessible externally, and crafting a URL containing its location in the res parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.

References

	URL	Tags
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes	Release Notes
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes	Release Notes

Impacted products

Vendor	Product	Version
zimbra	collaboration	*
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5BC091A-EE5A-4D34-9D2E-754D3C2FCA3F",
              "versionEndExcluding": "10.0.8",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "685D9652-2934-4C13-8B36-40582C79BFC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p0:*:*:*:*:*:*",
              "matchCriteriaId": "5E4DF01A-1AA9-47E8-82FD-65A02ECA1376",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "BDE59185-B917-4A81-8DE4-C65A079F52FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "BA3ED95F-95F2-4676-8EAF-B4B9EB64B260",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "4BB93336-CC3C-4B7F-B194-7DED036ABBAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "876F1675-F65C-4E86-ADBD-36EB8D8A997D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "2306F526-9C56-4A57-AA9B-02F2D6058C97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "F9EA2A61-67AA-4B7E-BC6E-80EB1363EF85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "C77A35B7-96F6-43A7-A747-C6AEEDE961E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "DC35882B-E709-42D8-8800-F1B734CEAFC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "B7A47276-F241-4A68-9458-E1481EBDC5E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "12D0D469-6C9B-4B66-9581-DC319773238A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "40629BEB-DF4B-4FB8-8D3D-7BAC43C90766",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "9503131F-CC23-4545-AE9C-9714B287CC25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "B4CE2D12-AD31-4FED-AD0F-ADF64E92E1B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "8113A4E3-AA96-4382-815D-6FD88BA42EC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "DC8C28E0-6C51-41EE-A7B2-DB185D1D8FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "BC19F11D-23D9-429D-A957-D67F23A40A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "AAFA2EE7-C965-4F27-8CAE-E607A9F202AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "1D09DCF6-1C8F-4CA1-B7D4-AFDD4EB35771",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "C52705E6-2C6B-47BC-A0CD-F6AAE0BFC302",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FD1DCE2B-D944-43AE-AD0E-9282DE6D618F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "2079B9F8-128B-487D-A965-E8B37FDF6304",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "9679FD62-815E-47A8-8552-D28CE48B82B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "D659AE6A-591E-4D5B-9781-9648250F5576",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E4054E3E-561C-4B1C-A615-3CCE5CB69D77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "4FA0E9C4-25E4-4CD6-B88A-02B413385866",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "5D6F7CA3-C36A-466C-8FAD-D0B3CEF01F0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "9684AC81-B557-4292-8402-AE55CB2E613C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "32A352C4-0E9C-436F-ADA7-D93492A18037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "ABCA8698-AB88-4A6D-BD2B-DB22AEED6536",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "33F50D8C-7027-4A8D-8E95-98C224283772",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "82000BA4-1781-4312-A7BD-92EC94D137AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "4B52D301-2559-457A-8FFB-F0915299355A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "7215AE2C-8A33-4AB9-88D5-7C8CD11E806C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:*:*:*:*:*:*",
              "matchCriteriaId": "8D859F77-8E39-4D46-BC90-C5C1D805A666",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "CDC810C7-45DA-4BDF-9138-2D3B2750243E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "E09D95A4-764D-4E0B-8605-1D94FD548AB2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user\u0027s browser session. By uploading a malicious JavaScript file, accessible externally, and crafting a URL containing its location in the res parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0 y 10.0. La vulnerabilidad se produce debido a una validaci\u00f3n de entrada inadecuada del par\u00e1metro res, lo que permite a un atacante autenticado inyectar y ejecutar c\u00f3digo JavaScript arbitrario dentro del contexto de la sesi\u00f3n del navegador de otro usuario. Al cargar un archivo JavaScript malicioso, accesible externamente, y crear una URL que contenga su ubicaci\u00f3n en el par\u00e1metro res, el atacante puede aprovechar esta vulnerabilidad. Posteriormente, cuando otro usuario visita la URL manipulada, se ejecuta el c\u00f3digo JavaScript malicioso."
    }
  ],
  "id": "CVE-2024-33536",
  "lastModified": "2025-03-25T17:15:55.057",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-08-12T15:15:20.657",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-27442

Vulnerability from fkie_nvd - Published: 2024-08-12 15:15 - Updated: 2024-08-13 17:30

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation.

References

	URL	Tags
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes	Release Notes
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes	Release Notes

Impacted products

Vendor	Product	Version
zimbra	collaboration	*
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CE0029A-44EA-4774-879D-5FA2D35F09BD",
              "versionEndExcluding": "10.0.7",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "685D9652-2934-4C13-8B36-40582C79BFC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p0:*:*:*:*:*:*",
              "matchCriteriaId": "5E4DF01A-1AA9-47E8-82FD-65A02ECA1376",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "BDE59185-B917-4A81-8DE4-C65A079F52FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "BA3ED95F-95F2-4676-8EAF-B4B9EB64B260",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "4BB93336-CC3C-4B7F-B194-7DED036ABBAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "876F1675-F65C-4E86-ADBD-36EB8D8A997D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "2306F526-9C56-4A57-AA9B-02F2D6058C97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "F9EA2A61-67AA-4B7E-BC6E-80EB1363EF85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "C77A35B7-96F6-43A7-A747-C6AEEDE961E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "DC35882B-E709-42D8-8800-F1B734CEAFC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "B7A47276-F241-4A68-9458-E1481EBDC5E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "12D0D469-6C9B-4B66-9581-DC319773238A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "40629BEB-DF4B-4FB8-8D3D-7BAC43C90766",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "9503131F-CC23-4545-AE9C-9714B287CC25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "B4CE2D12-AD31-4FED-AD0F-ADF64E92E1B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "8113A4E3-AA96-4382-815D-6FD88BA42EC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "DC8C28E0-6C51-41EE-A7B2-DB185D1D8FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "BC19F11D-23D9-429D-A957-D67F23A40A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "AAFA2EE7-C965-4F27-8CAE-E607A9F202AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "1D09DCF6-1C8F-4CA1-B7D4-AFDD4EB35771",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "C52705E6-2C6B-47BC-A0CD-F6AAE0BFC302",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FD1DCE2B-D944-43AE-AD0E-9282DE6D618F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "2079B9F8-128B-487D-A965-E8B37FDF6304",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "9679FD62-815E-47A8-8552-D28CE48B82B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "D659AE6A-591E-4D5B-9781-9648250F5576",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E4054E3E-561C-4B1C-A615-3CCE5CB69D77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "4FA0E9C4-25E4-4CD6-B88A-02B413385866",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "5D6F7CA3-C36A-466C-8FAD-D0B3CEF01F0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "9684AC81-B557-4292-8402-AE55CB2E613C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "32A352C4-0E9C-436F-ADA7-D93492A18037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "33F50D8C-7027-4A8D-8E95-98C224283772",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "82000BA4-1781-4312-A7BD-92EC94D137AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "4B52D301-2559-457A-8FFB-F0915299355A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "7215AE2C-8A33-4AB9-88D5-7C8CD11E806C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:*:*:*:*:*:*",
              "matchCriteriaId": "8D859F77-8E39-4D46-BC90-C5C1D805A666",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "CDC810C7-45DA-4BDF-9138-2D3B2750243E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "E09D95A4-764D-4E0B-8605-1D94FD548AB2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0 y 10.0. El binario zmmailboxdmgr, un componente de ZCS, est\u00e1 manipulado para que lo ejecute el usuario de zimbra con privilegios de root para operaciones espec\u00edficas del buz\u00f3n. Sin embargo, un atacante puede escalar privilegios del usuario de zimbra al root debido al manejo inadecuado de los argumentos de entrada. Un atacante puede ejecutar comandos arbitrarios con privilegios elevados, lo que lleva a una escalada de privilegios locales."
    }
  ],
  "id": "CVE-2024-27442",
  "lastModified": "2024-08-13T17:30:36.833",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-08-12T15:15:20.193",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-755"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-33533

Vulnerability from fkie_nvd - Published: 2024-08-12 15:15 - Updated: 2025-03-13 21:15

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file and crafting a URL containing its location in the packages parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.

References

	URL	Tags
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes	Release Notes
	cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes	Release Notes

Impacted products

Vendor	Product	Version
zimbra	collaboration	*
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5BC091A-EE5A-4D34-9D2E-754D3C2FCA3F",
              "versionEndExcluding": "10.0.8",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "685D9652-2934-4C13-8B36-40582C79BFC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p0:*:*:*:*:*:*",
              "matchCriteriaId": "5E4DF01A-1AA9-47E8-82FD-65A02ECA1376",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "BDE59185-B917-4A81-8DE4-C65A079F52FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "BA3ED95F-95F2-4676-8EAF-B4B9EB64B260",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "4BB93336-CC3C-4B7F-B194-7DED036ABBAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "876F1675-F65C-4E86-ADBD-36EB8D8A997D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "2306F526-9C56-4A57-AA9B-02F2D6058C97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "F9EA2A61-67AA-4B7E-BC6E-80EB1363EF85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "C77A35B7-96F6-43A7-A747-C6AEEDE961E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "DC35882B-E709-42D8-8800-F1B734CEAFC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "B7A47276-F241-4A68-9458-E1481EBDC5E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "12D0D469-6C9B-4B66-9581-DC319773238A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "40629BEB-DF4B-4FB8-8D3D-7BAC43C90766",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "9503131F-CC23-4545-AE9C-9714B287CC25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "B4CE2D12-AD31-4FED-AD0F-ADF64E92E1B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "8113A4E3-AA96-4382-815D-6FD88BA42EC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "DC8C28E0-6C51-41EE-A7B2-DB185D1D8FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "BC19F11D-23D9-429D-A957-D67F23A40A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "AAFA2EE7-C965-4F27-8CAE-E607A9F202AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "1D09DCF6-1C8F-4CA1-B7D4-AFDD4EB35771",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "C52705E6-2C6B-47BC-A0CD-F6AAE0BFC302",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FD1DCE2B-D944-43AE-AD0E-9282DE6D618F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "2079B9F8-128B-487D-A965-E8B37FDF6304",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "9679FD62-815E-47A8-8552-D28CE48B82B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "D659AE6A-591E-4D5B-9781-9648250F5576",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E4054E3E-561C-4B1C-A615-3CCE5CB69D77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "4FA0E9C4-25E4-4CD6-B88A-02B413385866",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "5D6F7CA3-C36A-466C-8FAD-D0B3CEF01F0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "9684AC81-B557-4292-8402-AE55CB2E613C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "32A352C4-0E9C-436F-ADA7-D93492A18037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "ABCA8698-AB88-4A6D-BD2B-DB22AEED6536",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "33F50D8C-7027-4A8D-8E95-98C224283772",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "82000BA4-1781-4312-A7BD-92EC94D137AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "4B52D301-2559-457A-8FFB-F0915299355A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "7215AE2C-8A33-4AB9-88D5-7C8CD11E806C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:*:*:*:*:*:*",
              "matchCriteriaId": "8D859F77-8E39-4D46-BC90-C5C1D805A666",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "CDC810C7-45DA-4BDF-9138-2D3B2750243E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "E09D95A4-764D-4E0B-8605-1D94FD548AB2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user\u0027s browser session. By uploading a malicious JavaScript file and crafting a URL containing its location in the packages parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0 y 10.0, n\u00famero 1 de 2. Se identific\u00f3 una vulnerabilidad de cross site scripting (XSS) reflejado en la interfaz de administraci\u00f3n del correo web de Zimbra. Esta vulnerabilidad se produce debido a una validaci\u00f3n de entrada inadecuada del par\u00e1metro de paquetes, lo que permite a un atacante autenticado inyectar y ejecutar c\u00f3digo JavaScript arbitrario dentro del contexto de la sesi\u00f3n del navegador de otro usuario. Al cargar un archivo JavaScript malicioso y crear una URL que contenga su ubicaci\u00f3n en el par\u00e1metro de paquetes, el atacante puede aprovechar esta vulnerabilidad. Posteriormente, cuando otro usuario visita la URL manipulada, se ejecuta el c\u00f3digo JavaScript malicioso."
    }
  ],
  "id": "CVE-2024-33533",
  "lastModified": "2025-03-13T21:15:39.390",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-08-12T15:15:20.480",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-27443

Vulnerability from fkie_nvd - Published: 2024-08-12 15:15 - Updated: 2025-10-31 12:49

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

References

URL	Tags
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes	Release Notes
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes	Release Notes
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443	US Government Resource
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.welivesecurity.com/en/eset-research/operation-roundpress/	Press/Media Coverage

Impacted products

Vendor	Product	Version
zimbra	collaboration	*
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0

JSON

To clipboard

{
  "cisaActionDue": "2025-06-09",
  "cisaExploitAdd": "2025-05-19",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CE0029A-44EA-4774-879D-5FA2D35F09BD",
              "versionEndExcluding": "10.0.7",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "685D9652-2934-4C13-8B36-40582C79BFC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p0:*:*:*:*:*:*",
              "matchCriteriaId": "5E4DF01A-1AA9-47E8-82FD-65A02ECA1376",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "BDE59185-B917-4A81-8DE4-C65A079F52FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "BA3ED95F-95F2-4676-8EAF-B4B9EB64B260",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "4BB93336-CC3C-4B7F-B194-7DED036ABBAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "876F1675-F65C-4E86-ADBD-36EB8D8A997D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "2306F526-9C56-4A57-AA9B-02F2D6058C97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "F9EA2A61-67AA-4B7E-BC6E-80EB1363EF85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "C77A35B7-96F6-43A7-A747-C6AEEDE961E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "DC35882B-E709-42D8-8800-F1B734CEAFC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "B7A47276-F241-4A68-9458-E1481EBDC5E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "12D0D469-6C9B-4B66-9581-DC319773238A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "40629BEB-DF4B-4FB8-8D3D-7BAC43C90766",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "9503131F-CC23-4545-AE9C-9714B287CC25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "B4CE2D12-AD31-4FED-AD0F-ADF64E92E1B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "8113A4E3-AA96-4382-815D-6FD88BA42EC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "DC8C28E0-6C51-41EE-A7B2-DB185D1D8FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "BC19F11D-23D9-429D-A957-D67F23A40A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "AAFA2EE7-C965-4F27-8CAE-E607A9F202AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "1D09DCF6-1C8F-4CA1-B7D4-AFDD4EB35771",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "C52705E6-2C6B-47BC-A0CD-F6AAE0BFC302",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FD1DCE2B-D944-43AE-AD0E-9282DE6D618F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "2079B9F8-128B-487D-A965-E8B37FDF6304",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "9679FD62-815E-47A8-8552-D28CE48B82B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "D659AE6A-591E-4D5B-9781-9648250F5576",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E4054E3E-561C-4B1C-A615-3CCE5CB69D77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "4FA0E9C4-25E4-4CD6-B88A-02B413385866",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "5D6F7CA3-C36A-466C-8FAD-D0B3CEF01F0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "9684AC81-B557-4292-8402-AE55CB2E613C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "32A352C4-0E9C-436F-ADA7-D93492A18037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "33F50D8C-7027-4A8D-8E95-98C224283772",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "82000BA4-1781-4312-A7BD-92EC94D137AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "4B52D301-2559-457A-8FFB-F0915299355A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "7215AE2C-8A33-4AB9-88D5-7C8CD11E806C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:*:*:*:*:*:*",
              "matchCriteriaId": "8D859F77-8E39-4D46-BC90-C5C1D805A666",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "CDC810C7-45DA-4BDF-9138-2D3B2750243E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "E09D95A4-764D-4E0B-8605-1D94FD548AB2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim\u0027s session, potentially leading to execution of arbitrary JavaScript code."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0 y 10.0. Existe una vulnerabilidad de cross site scripting (XSS) en la funci\u00f3n CalendarInvite de la interfaz de usuario cl\u00e1sica del correo web de Zimbra, debido a una validaci\u00f3n de entrada incorrecta en el manejo del encabezado del calendario. Un atacante puede aprovechar esto a trav\u00e9s de un mensaje de correo electr\u00f3nico que contenga un encabezado de calendario manipulado con un payload XSS incorporado. Cuando una v\u00edctima ve este mensaje en la interfaz cl\u00e1sica del correo web de Zimbra, el payload se ejecuta en el contexto de la sesi\u00f3n de la v\u00edctima, lo que potencialmente conduce a la ejecuci\u00f3n de c\u00f3digo JavaScript arbitrario."
    }
  ],
  "id": "CVE-2024-27443",
  "lastModified": "2025-10-31T12:49:00.460",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-08-12T15:15:20.283",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Press/Media Coverage"
      ],
      "url": "https://www.welivesecurity.com/en/eset-research/operation-roundpress/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Search criteria

149 vulnerabilities found for collaboration by zimbra

CVE-2025-62763 (GCVE-0-2025-62763)

CVE-2024-45515 (GCVE-0-2024-45515)

CVE-2025-27914 (GCVE-0-2025-27914)

CVE-2025-27915 (GCVE-0-2025-27915)

CVE-2024-45518 (GCVE-0-2024-45518)

CVE-2024-45519 (GCVE-0-2024-45519)

CVE-2024-27443 (GCVE-0-2024-27443)

CVE-2024-33536 (GCVE-0-2024-33536)

CVE-2024-27442 (GCVE-0-2024-27442)

CVE-2024-33535 (GCVE-0-2024-33535)

CVE-2025-62763 (GCVE-0-2025-62763)

CVE-2024-45515 (GCVE-0-2024-45515)

CVE-2025-27914 (GCVE-0-2025-27914)

CVE-2025-27915 (GCVE-0-2025-27915)

CVE-2024-45518 (GCVE-0-2024-45518)

CVE-2024-45519 (GCVE-0-2024-45519)

CVE-2024-27443 (GCVE-0-2024-27443)

CVE-2024-33536 (GCVE-0-2024-33536)

CVE-2024-27442 (GCVE-0-2024-27442)

CVE-2024-33535 (GCVE-0-2024-33535)