Search criteria

222 vulnerabilities found for zimbra_collaboration_suite by synacor

FKIE_CVE-2025-48700

Vulnerability from fkie_nvd - Published: 2025-06-23 15:15 - Updated: 2025-07-11 14:32
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Security_CenterRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E603BD7A-730E-410C-BBE1-3E5A8DD2A72F",
              "versionEndExcluding": "10.0.12",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "55361360-9F77-4731-82AD-82E65E4C5AA0",
              "versionEndExcluding": "10.1.4",
              "versionStartIncluding": "10.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*",
              "matchCriteriaId": "9E39A855-C0EB-4448-AE96-177757C40C66",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*",
              "matchCriteriaId": "FFE7BE6E-7A9A-40C7-B236-7A21103E9F41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*",
              "matchCriteriaId": "B5924FFC-BA19-48B3-BF4D-0C2DB3FCD407",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*",
              "matchCriteriaId": "7822D273-C2CB-4EFE-B929-3D34C65E005E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*",
              "matchCriteriaId": "F81528E8-FE3A-4C48-A747-34A3FF28BCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*",
              "matchCriteriaId": "D772D4BA-9ED6-492C-A0D3-0AF4F3D49037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*",
              "matchCriteriaId": "C2A468FE-B59B-4CE9-B9B2-C836EEAFA3E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*",
              "matchCriteriaId": "04BECDE0-F082-49FB-ACA2-5C808902AA17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*",
              "matchCriteriaId": "56558FD4-4391-4199-BA6B-B53F5DC30144",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*",
              "matchCriteriaId": "69A530D3-B84E-427B-BC92-64BBFEF331BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*",
              "matchCriteriaId": "3C0DCE7F-85A4-44C6-88C8-380B0BBBFA7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*",
              "matchCriteriaId": "180AF8B6-55AE-460C-B613-37FB697B5325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*",
              "matchCriteriaId": "6FCB5528-70FD-4525-A78B-D5537609331A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*",
              "matchCriteriaId": "34B07279-A26A-4EB1-8B33-885AD854018B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*",
              "matchCriteriaId": "97402ADA-AB05-4A92-920D-EA5363424FDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*",
              "matchCriteriaId": "697A1D34-FF0C-4F9E-8E91-34404A366D70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*",
              "matchCriteriaId": "9030D096-87A1-4AFF-BB7C-CE71990005B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*",
              "matchCriteriaId": "F211A8B1-E33E-49BE-9C18-31B1902EB4FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*",
              "matchCriteriaId": "4152CEA2-9DC1-4567-BAB3-9C36F74F77EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*",
              "matchCriteriaId": "9BC02B35-7FC4-41AB-8D2E-2CD1896D84C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*",
              "matchCriteriaId": "0294CB8B-B0AF-4A5C-B6B2-33F5BFFFBD4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*",
              "matchCriteriaId": "968A75B4-6D23-4B83-A8B5-777D8F151E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*",
              "matchCriteriaId": "5E11BC24-56A3-4CAB-B0B2-D2430CD80767",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*",
              "matchCriteriaId": "EF2EE32D-04A5-46EA-92F0-3C8D74A4B82A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*",
              "matchCriteriaId": "50FB0099-0495-4735-9398-7F7E657F459B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31:*:*:*:*:*:*",
              "matchCriteriaId": "FAE2858A-6D9E-4D79-AFA6-69C44D6D8C75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31.1:*:*:*:*:*:*",
              "matchCriteriaId": "5C1D9EB8-E3FE-4BF3-8517-603BA4B126C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p32:*:*:*:*:*:*",
              "matchCriteriaId": "50A296BC-6DA4-41B2-923A-0633566AD6C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C066ED38-1175-48FB-BE05-BE0C19E9EBE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p34:*:*:*:*:*:*",
              "matchCriteriaId": "89B3EF32-B474-44DB-AE30-CD308CDC5A77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p35:*:*:*:*:*:*",
              "matchCriteriaId": "A9ECCB00-F3F4-4EB7-9FD0-4CB64678B129",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p36:*:*:*:*:*:*",
              "matchCriteriaId": "37739F7A-490F-42A8-B97D-D09A3EDB85DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p37:*:*:*:*:*:*",
              "matchCriteriaId": "518662DA-C0F3-4875-86D7-5ED2B2496CC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p38:*:*:*:*:*:*",
              "matchCriteriaId": "64B28BE5-F35D-4AB0-A321-CEAE21BC26FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p39:*:*:*:*:*:*",
              "matchCriteriaId": "9DFBABD6-70F2-4E3B-A9C0-82DE76D48542",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*",
              "matchCriteriaId": "BB3C28CA-4C22-423E-B1C7-CBAFBB91F4DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p40:*:*:*:*:*:*",
              "matchCriteriaId": "0D2D6DBD-560A-4F8E-B2CC-67A564C460A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p41:*:*:*:*:*:*",
              "matchCriteriaId": "BFBC20F8-7F50-4D9D-8442-3397DED4B18B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p42:*:*:*:*:*:*",
              "matchCriteriaId": "D175FCA2-F902-4470-BFF6-5EC2F31BB06D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p43:*:*:*:*:*:*",
              "matchCriteriaId": "5516ED19-5648-4BC8-A9C2-6EE41B1794C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p44:*:*:*:*:*:*",
              "matchCriteriaId": "28D5F229-EE33-42C4-A26D-23BC760720A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p45:*:*:*:*:*:*",
              "matchCriteriaId": "A00BE897-F462-4193-BF51-4381B04C076B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p46:*:*:*:*:*:*",
              "matchCriteriaId": "8D93DABB-4E8B-4DB4-BCD5-D495933D0223",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*",
              "matchCriteriaId": "A9A1314A-20C8-42D7-9387-D914999EEAF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*",
              "matchCriteriaId": "CEF091C5-8DC6-4A41-9E84-F53BE703F71B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*",
              "matchCriteriaId": "ACD65C28-9716-4073-8613-C4AF12684760",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*",
              "matchCriteriaId": "2C58AFFF-848F-490D-A95C-03A267C2DC98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*",
              "matchCriteriaId": "B62DC188-89A8-4AEA-90AE-563F0BBEFC54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p41:*:*:*:*:*:*",
              "matchCriteriaId": "408E1BFD-16AA-458C-B040-04870522FEBD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p42:*:*:*:*:*:*",
              "matchCriteriaId": "205B2CDC-6423-4FD9-9FD0-847ADEB64003",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 8.8.15, 9.0, 10.0 y 10.1. Una vulnerabilidad de cross-site scripting (XSS) en la interfaz cl\u00e1sica de Zimbra permite a los atacantes ejecutar c\u00f3digo JavaScript arbitrario dentro de la sesi\u00f3n del usuario, lo que podr\u00eda provocar acceso no autorizado a informaci\u00f3n confidencial. Este problema se debe a una limpieza insuficiente del contenido HTML, en particular a estructuras de etiquetas y valores de atributos manipulados que incluyen la directiva @import y otros vectores de inyecci\u00f3n de scripts. La vulnerabilidad se activa cuando un usuario visualiza un mensaje de correo electr\u00f3nico manipulado en la interfaz cl\u00e1sica, sin necesidad de interacci\u00f3n adicional."
    }
  ],
  "id": "CVE-2025-48700",
  "lastModified": "2025-07-11T14:32:05.157",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-23T15:15:27.930",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-45516

Vulnerability from fkie_nvd - Published: 2025-05-14 20:15 - Updated: 2025-06-11 21:20
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Security_CenterVendor Advisory
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E603BD7A-730E-410C-BBE1-3E5A8DD2A72F",
              "versionEndExcluding": "10.0.12",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "55361360-9F77-4731-82AD-82E65E4C5AA0",
              "versionEndExcluding": "10.1.4",
              "versionStartIncluding": "10.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*",
              "matchCriteriaId": "9E39A855-C0EB-4448-AE96-177757C40C66",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*",
              "matchCriteriaId": "FFE7BE6E-7A9A-40C7-B236-7A21103E9F41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*",
              "matchCriteriaId": "B5924FFC-BA19-48B3-BF4D-0C2DB3FCD407",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*",
              "matchCriteriaId": "7822D273-C2CB-4EFE-B929-3D34C65E005E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*",
              "matchCriteriaId": "F81528E8-FE3A-4C48-A747-34A3FF28BCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*",
              "matchCriteriaId": "D772D4BA-9ED6-492C-A0D3-0AF4F3D49037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*",
              "matchCriteriaId": "C2A468FE-B59B-4CE9-B9B2-C836EEAFA3E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*",
              "matchCriteriaId": "04BECDE0-F082-49FB-ACA2-5C808902AA17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*",
              "matchCriteriaId": "56558FD4-4391-4199-BA6B-B53F5DC30144",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*",
              "matchCriteriaId": "69A530D3-B84E-427B-BC92-64BBFEF331BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*",
              "matchCriteriaId": "3C0DCE7F-85A4-44C6-88C8-380B0BBBFA7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*",
              "matchCriteriaId": "180AF8B6-55AE-460C-B613-37FB697B5325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*",
              "matchCriteriaId": "6FCB5528-70FD-4525-A78B-D5537609331A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*",
              "matchCriteriaId": "34B07279-A26A-4EB1-8B33-885AD854018B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*",
              "matchCriteriaId": "97402ADA-AB05-4A92-920D-EA5363424FDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*",
              "matchCriteriaId": "697A1D34-FF0C-4F9E-8E91-34404A366D70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*",
              "matchCriteriaId": "9030D096-87A1-4AFF-BB7C-CE71990005B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*",
              "matchCriteriaId": "F211A8B1-E33E-49BE-9C18-31B1902EB4FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*",
              "matchCriteriaId": "4152CEA2-9DC1-4567-BAB3-9C36F74F77EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*",
              "matchCriteriaId": "9BC02B35-7FC4-41AB-8D2E-2CD1896D84C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*",
              "matchCriteriaId": "0294CB8B-B0AF-4A5C-B6B2-33F5BFFFBD4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*",
              "matchCriteriaId": "968A75B4-6D23-4B83-A8B5-777D8F151E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*",
              "matchCriteriaId": "5E11BC24-56A3-4CAB-B0B2-D2430CD80767",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*",
              "matchCriteriaId": "EF2EE32D-04A5-46EA-92F0-3C8D74A4B82A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*",
              "matchCriteriaId": "50FB0099-0495-4735-9398-7F7E657F459B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31:*:*:*:*:*:*",
              "matchCriteriaId": "FAE2858A-6D9E-4D79-AFA6-69C44D6D8C75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31.1:*:*:*:*:*:*",
              "matchCriteriaId": "5C1D9EB8-E3FE-4BF3-8517-603BA4B126C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p32:*:*:*:*:*:*",
              "matchCriteriaId": "50A296BC-6DA4-41B2-923A-0633566AD6C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C066ED38-1175-48FB-BE05-BE0C19E9EBE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p34:*:*:*:*:*:*",
              "matchCriteriaId": "89B3EF32-B474-44DB-AE30-CD308CDC5A77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p35:*:*:*:*:*:*",
              "matchCriteriaId": "A9ECCB00-F3F4-4EB7-9FD0-4CB64678B129",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p36:*:*:*:*:*:*",
              "matchCriteriaId": "37739F7A-490F-42A8-B97D-D09A3EDB85DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p37:*:*:*:*:*:*",
              "matchCriteriaId": "518662DA-C0F3-4875-86D7-5ED2B2496CC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p38:*:*:*:*:*:*",
              "matchCriteriaId": "64B28BE5-F35D-4AB0-A321-CEAE21BC26FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p39:*:*:*:*:*:*",
              "matchCriteriaId": "9DFBABD6-70F2-4E3B-A9C0-82DE76D48542",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*",
              "matchCriteriaId": "BB3C28CA-4C22-423E-B1C7-CBAFBB91F4DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p40:*:*:*:*:*:*",
              "matchCriteriaId": "0D2D6DBD-560A-4F8E-B2CC-67A564C460A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p41:*:*:*:*:*:*",
              "matchCriteriaId": "BFBC20F8-7F50-4D9D-8442-3397DED4B18B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p42:*:*:*:*:*:*",
              "matchCriteriaId": "D175FCA2-F902-4470-BFF6-5EC2F31BB06D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p43:*:*:*:*:*:*",
              "matchCriteriaId": "5516ED19-5648-4BC8-A9C2-6EE41B1794C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p44:*:*:*:*:*:*",
              "matchCriteriaId": "28D5F229-EE33-42C4-A26D-23BC760720A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p45:*:*:*:*:*:*",
              "matchCriteriaId": "A00BE897-F462-4193-BF51-4381B04C076B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p46:*:*:*:*:*:*",
              "matchCriteriaId": "8D93DABB-4E8B-4DB4-BCD5-D495933D0223",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*",
              "matchCriteriaId": "A9A1314A-20C8-42D7-9387-D914999EEAF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*",
              "matchCriteriaId": "CEF091C5-8DC6-4A41-9E84-F53BE703F71B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*",
              "matchCriteriaId": "ACD65C28-9716-4073-8613-C4AF12684760",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*",
              "matchCriteriaId": "2C58AFFF-848F-490D-A95C-03A267C2DC98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*",
              "matchCriteriaId": "B62DC188-89A8-4AEA-90AE-563F0BBEFC54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p41:*:*:*:*:*:*",
              "matchCriteriaId": "408E1BFD-16AA-458C-B040-04870522FEBD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p42:*:*:*:*:*:*",
              "matchCriteriaId": "205B2CDC-6423-4FD9-9FD0-847ADEB64003",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed \u003cimg\u003e tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0.0 (anterior al parche 43), 10.0.x (anterior a la versi\u00f3n 10.0.12), 10.1.x (anterior a la versi\u00f3n 10.1.4) y 8.8.15 (anterior al parche 47). Una vulnerabilidad de Cross-Site Scripting (XSS) en la interfaz cl\u00e1sica de Zimbra permite a los atacantes ejecutar JavaScript arbitrario en la sesi\u00f3n de la v\u00edctima, lo que podr\u00eda provocar acceso no autorizado a informaci\u00f3n confidencial. Este problema se debe a una limpieza insuficiente del contenido HTML, incluyendo etiquetas  malformadas con JavaScript incrustado. La vulnerabilidad se activa cuando la v\u00edctima visualiza un correo electr\u00f3nico especialmente manipulado en la interfaz cl\u00e1sica, lo que provoca la ejecuci\u00f3n del script malicioso. No se requiere ninguna otra interacci\u00f3n del usuario m\u00e1s all\u00e1 de visualizar el correo electr\u00f3nico."
    }
  ],
  "id": "CVE-2024-45516",
  "lastModified": "2025-06-11T21:20:29.063",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-14T20:15:20.857",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2025-32354

Vulnerability from fkie_nvd - Published: 2025-04-29 16:15 - Updated: 2025-06-11 21:20
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Security_CenterVendor Advisory
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A62D023-FC5F-4072-A887-A7DDC5BEC370",
              "versionEndExcluding": "10.1.4",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website."
    },
    {
      "lang": "es",
      "value": "En Zimbra Collaboration (ZCS) 9.0 a 10.1, existe una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el endpoint GraphQL (/service/extension/graphql) del correo web de Zimbra debido a la falta de validaci\u00f3n del token CSRF. Esto permite a los atacantes realizar operaciones GraphQL no autorizadas, como modificar contactos, cambiar la configuraci\u00f3n de la cuenta y acceder a datos confidenciales del usuario cuando este visita un sitio web malicioso."
    }
  ],
  "id": "CVE-2025-32354",
  "lastModified": "2025-06-11T21:20:21.863",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-29T16:15:34.770",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2025-27915

Vulnerability from fkie_nvd - Published: 2025-03-12 15:15 - Updated: 2025-11-04 16:45
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Security_CenterRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_FixesRelease Notes
134c704f-9b21-4f2e-91b3-4a467353bcc0https://strikeready.com/blog/0day-ics-attack-in-the-wild/Exploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915US Government Resource
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
To clipboard 

{
  "cisaActionDue": "2025-10-28",
  "cisaExploitAdd": "2025-10-07",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F7A8D86-7352-45D1-A809-D19FCC4A4ED0",
              "versionEndExcluding": "10.0.13",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD5597BA-6D2C-4E3A-AA67-0F29DA04CA76",
              "versionEndExcluding": "10.1.5",
              "versionStartIncluding": "10.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p41:*:*:*:*:*:*",
              "matchCriteriaId": "408E1BFD-16AA-458C-B040-04870522FEBD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p42:*:*:*:*:*:*",
              "matchCriteriaId": "205B2CDC-6423-4FD9-9FD0-847ADEB64003",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p43:*:*:*:*:*:*",
              "matchCriteriaId": "CAE21C69-F080-4CE2-A39E-BF3509FB2005",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a \u003cdetails\u003e tag. This allows an attacker to run arbitrary JavaScript within the victim\u0027s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim\u0027s account, including e-mail redirection and data exfiltration."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0, 10.0 y 10.1. Existe una vulnerabilidad de cross site scripting (XSS) almacenado en el cliente web cl\u00e1sico debido a una depuraci\u00f3n insuficiente del contenido HTML en los archivos ICS. Cuando un usuario visualiza un mensaje de correo electr\u00f3nico que contiene una entrada ICS maliciosa, su JavaScript incrustado se ejecuta mediante un evento ontoggle dentro de una etiqueta . Esto permite a un atacante ejecutar JavaScript arbitrario en la sesi\u00f3n de la v\u00edctima, lo que podr\u00eda provocar acciones no autorizadas, como configurar filtros de correo electr\u00f3nico para redirigir los mensajes a una direcci\u00f3n controlada por el atacante. Como resultado, un atacante puede realizar acciones no autorizadas en la cuenta de la v\u00edctima, como la redirecci\u00f3n de correo electr\u00f3nico y la exfiltraci\u00f3n de datos."
    }
  ],
  "id": "CVE-2025-27915",
  "lastModified": "2025-11-04T16:45:11.053",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-12T15:15:39.900",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://strikeready.com/blog/0day-ics-attack-in-the-wild/"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2025-25064

Vulnerability from fkie_nvd - Published: 2025-02-03 20:15 - Updated: 2025-06-11 21:18
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E603BD7A-730E-410C-BBE1-3E5A8DD2A72F",
              "versionEndExcluding": "10.0.12",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "55361360-9F77-4731-82AD-82E65E4C5AA0",
              "versionEndExcluding": "10.1.4",
              "versionStartIncluding": "10.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de inyecci\u00f3n SQL en ZimbraSyncService SOAP endpoint en Zimbra Collaboration 10.0.x anterior a 10.0.12 y 10.1.x anterior a 10.1.4."
    }
  ],
  "id": "CVE-2025-25064",
  "lastModified": "2025-06-11T21:18:03.333",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-03T20:15:37.257",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2025-25065

Vulnerability from fkie_nvd - Published: 2025-02-03 20:15 - Updated: 2025-06-11 21:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P43#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "95359DBD-9E47-43B2-8B26-0C906059E24B",
              "versionEndExcluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E603BD7A-730E-410C-BBE1-3E5A8DD2A72F",
              "versionEndExcluding": "10.0.12",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "55361360-9F77-4731-82AD-82E65E4C5AA0",
              "versionEndExcluding": "10.1.4",
              "versionStartIncluding": "10.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p41:*:*:*:*:*:*",
              "matchCriteriaId": "408E1BFD-16AA-458C-B040-04870522FEBD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p42:*:*:*:*:*:*",
              "matchCriteriaId": "205B2CDC-6423-4FD9-9FD0-847ADEB64003",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad SSRF en el analizador de fuentes RSS en Zimbra Collaboration 9.0.0 antes del parche 43, 10.0.x antes de 10.0.12 y 10.1.x antes de 10.1.4 permite la redirecci\u00f3n no autorizada a la red interna endpoints."
    }
  ],
  "id": "CVE-2025-25065",
  "lastModified": "2025-06-11T21:18:20.650",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-03T20:15:37.370",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P43#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-54663

Vulnerability from fkie_nvd - Published: 2024-12-19 23:15 - Updated: 2025-06-11 21:17
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.3#Security_FixesRelease Notes
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "04227092-4E4B-4175-9F15-580F6FD3ED85",
              "versionEndExcluding": "10.0.11",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A43199-9BB6-4987-AC3D-D8E50AEAD187",
              "versionEndExcluding": "10.1.3",
              "versionStartIncluding": "10.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Webmail Classic UI en Zimbra Collaboration (ZCS) 9.0, 10.0 y 10.1. Existe una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI) en el endpoint /h/rest, que permite a atacantes remotos autenticados incluir y acceder a archivos confidenciales en el directorio WebRoot. La explotaci\u00f3n requiere un token de autenticaci\u00f3n v\u00e1lido e implica la manipulaci\u00f3n de una solicitud maliciosa dirigida a rutas de archivos espec\u00edficas."
    }
  ],
  "id": "CVE-2024-54663",
  "lastModified": "2025-06-11T21:17:48.333",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-19T23:15:07.023",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.3#Security_Fixes"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-829"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-45194

Vulnerability from fkie_nvd - Published: 2024-11-21 17:15 - Updated: 2025-06-11 15:40
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.)
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 10.1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC78301D-6403-496F-A349-1C7BAC37797D",
              "versionEndExcluding": "10.0.9",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C936B30B-C717-442B-8656-CF9EE3FC7C10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim\u0027s browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.)"
    },
    {
      "lang": "es",
      "value": "En Zimbra Collaboration (ZCS) 9.0 y 10.0, una vulnerabilidad en la interfaz de usuario moderna de Webmail permite la ejecuci\u00f3n de payloads de cross site scripting (XSS) almacenado. Un atacante con acceso administrativo al panel de administraci\u00f3n de Zimbra puede inyectar c\u00f3digo JavaScript malicioso mientras configura una cuenta de correo electr\u00f3nico. Este c\u00f3digo inyectado se almacena en el servidor y se ejecuta en el contexto del navegador de la v\u00edctima cuando interact\u00faa con elementos espec\u00edficos en la interfaz web. (La vulnerabilidad se puede mitigar desinfectando adecuadamente los par\u00e1metros de entrada para evitar la inyecci\u00f3n de c\u00f3digo malicioso)."
    }
  ],
  "id": "CVE-2024-45194",
  "lastModified": "2025-06-11T15:40:45.710",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-21T17:15:15.440",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-45517

Vulnerability from fkie_nvd - Published: 2024-11-21 17:15 - Updated: 2025-06-11 21:17
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Security_CenterVendor Advisory
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 10.1.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8BF8662-919E-4A40-917F-FEA0EA73491C",
              "versionEndExcluding": "8.8.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC78301D-6403-496F-A349-1C7BAC37797D",
              "versionEndExcluding": "10.0.9",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*",
              "matchCriteriaId": "9E39A855-C0EB-4448-AE96-177757C40C66",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*",
              "matchCriteriaId": "FFE7BE6E-7A9A-40C7-B236-7A21103E9F41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*",
              "matchCriteriaId": "B5924FFC-BA19-48B3-BF4D-0C2DB3FCD407",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*",
              "matchCriteriaId": "7822D273-C2CB-4EFE-B929-3D34C65E005E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*",
              "matchCriteriaId": "F81528E8-FE3A-4C48-A747-34A3FF28BCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*",
              "matchCriteriaId": "D772D4BA-9ED6-492C-A0D3-0AF4F3D49037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*",
              "matchCriteriaId": "C2A468FE-B59B-4CE9-B9B2-C836EEAFA3E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*",
              "matchCriteriaId": "04BECDE0-F082-49FB-ACA2-5C808902AA17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*",
              "matchCriteriaId": "56558FD4-4391-4199-BA6B-B53F5DC30144",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*",
              "matchCriteriaId": "69A530D3-B84E-427B-BC92-64BBFEF331BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*",
              "matchCriteriaId": "3C0DCE7F-85A4-44C6-88C8-380B0BBBFA7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*",
              "matchCriteriaId": "180AF8B6-55AE-460C-B613-37FB697B5325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*",
              "matchCriteriaId": "6FCB5528-70FD-4525-A78B-D5537609331A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*",
              "matchCriteriaId": "34B07279-A26A-4EB1-8B33-885AD854018B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*",
              "matchCriteriaId": "97402ADA-AB05-4A92-920D-EA5363424FDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*",
              "matchCriteriaId": "697A1D34-FF0C-4F9E-8E91-34404A366D70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*",
              "matchCriteriaId": "9030D096-87A1-4AFF-BB7C-CE71990005B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*",
              "matchCriteriaId": "F211A8B1-E33E-49BE-9C18-31B1902EB4FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*",
              "matchCriteriaId": "4152CEA2-9DC1-4567-BAB3-9C36F74F77EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*",
              "matchCriteriaId": "9BC02B35-7FC4-41AB-8D2E-2CD1896D84C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*",
              "matchCriteriaId": "0294CB8B-B0AF-4A5C-B6B2-33F5BFFFBD4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*",
              "matchCriteriaId": "968A75B4-6D23-4B83-A8B5-777D8F151E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*",
              "matchCriteriaId": "5E11BC24-56A3-4CAB-B0B2-D2430CD80767",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*",
              "matchCriteriaId": "EF2EE32D-04A5-46EA-92F0-3C8D74A4B82A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*",
              "matchCriteriaId": "50FB0099-0495-4735-9398-7F7E657F459B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31:*:*:*:*:*:*",
              "matchCriteriaId": "FAE2858A-6D9E-4D79-AFA6-69C44D6D8C75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31.1:*:*:*:*:*:*",
              "matchCriteriaId": "5C1D9EB8-E3FE-4BF3-8517-603BA4B126C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p32:*:*:*:*:*:*",
              "matchCriteriaId": "50A296BC-6DA4-41B2-923A-0633566AD6C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C066ED38-1175-48FB-BE05-BE0C19E9EBE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p34:*:*:*:*:*:*",
              "matchCriteriaId": "89B3EF32-B474-44DB-AE30-CD308CDC5A77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p35:*:*:*:*:*:*",
              "matchCriteriaId": "A9ECCB00-F3F4-4EB7-9FD0-4CB64678B129",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p36:*:*:*:*:*:*",
              "matchCriteriaId": "37739F7A-490F-42A8-B97D-D09A3EDB85DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p37:*:*:*:*:*:*",
              "matchCriteriaId": "518662DA-C0F3-4875-86D7-5ED2B2496CC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p38:*:*:*:*:*:*",
              "matchCriteriaId": "64B28BE5-F35D-4AB0-A321-CEAE21BC26FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p39:*:*:*:*:*:*",
              "matchCriteriaId": "9DFBABD6-70F2-4E3B-A9C0-82DE76D48542",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*",
              "matchCriteriaId": "BB3C28CA-4C22-423E-B1C7-CBAFBB91F4DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p40:*:*:*:*:*:*",
              "matchCriteriaId": "0D2D6DBD-560A-4F8E-B2CC-67A564C460A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p41:*:*:*:*:*:*",
              "matchCriteriaId": "BFBC20F8-7F50-4D9D-8442-3397DED4B18B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p42:*:*:*:*:*:*",
              "matchCriteriaId": "D175FCA2-F902-4470-BFF6-5EC2F31BB06D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p43:*:*:*:*:*:*",
              "matchCriteriaId": "5516ED19-5648-4BC8-A9C2-6EE41B1794C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p44:*:*:*:*:*:*",
              "matchCriteriaId": "28D5F229-EE33-42C4-A26D-23BC760720A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p45:*:*:*:*:*:*",
              "matchCriteriaId": "A00BE897-F462-4193-BF51-4381B04C076B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*",
              "matchCriteriaId": "A9A1314A-20C8-42D7-9387-D914999EEAF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*",
              "matchCriteriaId": "CEF091C5-8DC6-4A41-9E84-F53BE703F71B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*",
              "matchCriteriaId": "ACD65C28-9716-4073-8613-C4AF12684760",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*",
              "matchCriteriaId": "2C58AFFF-848F-490D-A95C-03A267C2DC98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*",
              "matchCriteriaId": "B62DC188-89A8-4AEA-90AE-563F0BBEFC54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "8D638AB2-0241-412C-8CBE-D3A69D01CF3A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim\u0027s session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) hasta la versi\u00f3n 10.1. Una vulnerabilidad de cross site scripting (XSS) en el endpoint /h/rest de las interfaces del panel de administraci\u00f3n y del correo web de Zimbra permite a los atacantes ejecutar c\u00f3digo JavaScript arbitrario en la sesi\u00f3n de la v\u00edctima. Este problema se debe a una desinfecci\u00f3n inadecuada de la entrada del usuario, lo que puede poner en riesgo la informaci\u00f3n confidencial. La explotaci\u00f3n requiere la interacci\u00f3n del usuario para acceder a la URL maliciosa."
    }
  ],
  "id": "CVE-2024-45517",
  "lastModified": "2025-06-11T21:17:35.417",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-21T17:15:15.967",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-45513

Vulnerability from fkie_nvd - Published: 2024-11-21 17:15 - Updated: 2025-06-11 21:17
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser when a crafted vCard (VCF) file is processed and printed. This could lead to unauthorized actions within the victim's session.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Security_CenterVendor Advisory
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 10.1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "95359DBD-9E47-43B2-8B26-0C906059E24B",
              "versionEndExcluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC78301D-6403-496F-A349-1C7BAC37797D",
              "versionEndExcluding": "10.0.9",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C936B30B-C717-442B-8656-CF9EE3FC7C10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim\u0027s browser when a crafted vCard (VCF) file is processed and printed. This could lead to unauthorized actions within the victim\u0027s session."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) hasta la versi\u00f3n 10.1. Existe una vulnerabilidad de cross site scripting (XSS) almacenado en el endpoint /modern/contacts/print del correo web de Zimbra. Esto permite que un atacante inyecte y ejecute c\u00f3digo JavaScript arbitrario en el contexto del navegador de la v\u00edctima cuando se procesa e imprime un archivo vCard (VCF) manipulado. Esto podr\u00eda provocar acciones no autorizadas dentro de la sesi\u00f3n de la v\u00edctima."
    }
  ],
  "id": "CVE-2024-45513",
  "lastModified": "2025-06-11T21:17:25.640",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-21T17:15:15.793",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-45512

Vulnerability from fkie_nvd - Published: 2024-11-21 16:15 - Updated: 2025-06-11 21:17
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim's session.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Security_CenterVendor Advisory
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 10.1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "95359DBD-9E47-43B2-8B26-0C906059E24B",
              "versionEndExcluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC78301D-6403-496F-A349-1C7BAC37797D",
              "versionEndExcluding": "10.0.9",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C936B30B-C717-442B-8656-CF9EE3FC7C10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim\u0027s session."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en el correo web en Zimbra Collaboration (ZCS) hasta la versi\u00f3n 10.1. Un atacante puede aprovechar esta vulnerabilidad creando una carpeta en el m\u00f3dulo Briefcase con un payload malicioso y comparti\u00e9ndola con una v\u00edctima. Cuando la v\u00edctima interact\u00faa con la notificaci\u00f3n de uso compartido de carpeta, el script malicioso se ejecuta en su navegador. Esta vulnerabilidad de cross site scripting (XSS) almacenado puede provocar acciones no autorizadas dentro de la sesi\u00f3n de la v\u00edctima."
    }
  ],
  "id": "CVE-2024-45512",
  "lastModified": "2025-06-11T21:17:07.337",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-21T16:15:25.637",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

FKIE_CVE-2024-45514

Vulnerability from fkie_nvd - Published: 2024-11-21 16:15 - Updated: 2025-06-11 21:17
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing the injection and execution of arbitrary JavaScript within a victim's session.
References
cve@mitre.orghttps://wiki.zimbra.com/wiki/Security_CenterVendor Advisory
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_FixesRelease Notes
cve@mitre.orghttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
Impacted products
Vendor Product Version
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite *
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 8.8.15
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 9.0.0
synacor zimbra_collaboration_suite 10.1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8BF8662-919E-4A40-917F-FEA0EA73491C",
              "versionEndExcluding": "8.8.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC78301D-6403-496F-A349-1C7BAC37797D",
              "versionEndExcluding": "10.0.9",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*",
              "matchCriteriaId": "9E39A855-C0EB-4448-AE96-177757C40C66",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*",
              "matchCriteriaId": "FFE7BE6E-7A9A-40C7-B236-7A21103E9F41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*",
              "matchCriteriaId": "B5924FFC-BA19-48B3-BF4D-0C2DB3FCD407",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*",
              "matchCriteriaId": "7822D273-C2CB-4EFE-B929-3D34C65E005E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*",
              "matchCriteriaId": "F81528E8-FE3A-4C48-A747-34A3FF28BCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*",
              "matchCriteriaId": "D772D4BA-9ED6-492C-A0D3-0AF4F3D49037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*",
              "matchCriteriaId": "C2A468FE-B59B-4CE9-B9B2-C836EEAFA3E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*",
              "matchCriteriaId": "04BECDE0-F082-49FB-ACA2-5C808902AA17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*",
              "matchCriteriaId": "56558FD4-4391-4199-BA6B-B53F5DC30144",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*",
              "matchCriteriaId": "69A530D3-B84E-427B-BC92-64BBFEF331BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*",
              "matchCriteriaId": "3C0DCE7F-85A4-44C6-88C8-380B0BBBFA7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*",
              "matchCriteriaId": "180AF8B6-55AE-460C-B613-37FB697B5325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*",
              "matchCriteriaId": "6FCB5528-70FD-4525-A78B-D5537609331A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*",
              "matchCriteriaId": "34B07279-A26A-4EB1-8B33-885AD854018B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*",
              "matchCriteriaId": "97402ADA-AB05-4A92-920D-EA5363424FDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*",
              "matchCriteriaId": "697A1D34-FF0C-4F9E-8E91-34404A366D70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*",
              "matchCriteriaId": "9030D096-87A1-4AFF-BB7C-CE71990005B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*",
              "matchCriteriaId": "F211A8B1-E33E-49BE-9C18-31B1902EB4FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*",
              "matchCriteriaId": "4152CEA2-9DC1-4567-BAB3-9C36F74F77EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*",
              "matchCriteriaId": "9BC02B35-7FC4-41AB-8D2E-2CD1896D84C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*",
              "matchCriteriaId": "0294CB8B-B0AF-4A5C-B6B2-33F5BFFFBD4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*",
              "matchCriteriaId": "968A75B4-6D23-4B83-A8B5-777D8F151E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*",
              "matchCriteriaId": "5E11BC24-56A3-4CAB-B0B2-D2430CD80767",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*",
              "matchCriteriaId": "EF2EE32D-04A5-46EA-92F0-3C8D74A4B82A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*",
              "matchCriteriaId": "50FB0099-0495-4735-9398-7F7E657F459B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31:*:*:*:*:*:*",
              "matchCriteriaId": "FAE2858A-6D9E-4D79-AFA6-69C44D6D8C75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31.1:*:*:*:*:*:*",
              "matchCriteriaId": "5C1D9EB8-E3FE-4BF3-8517-603BA4B126C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p32:*:*:*:*:*:*",
              "matchCriteriaId": "50A296BC-6DA4-41B2-923A-0633566AD6C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C066ED38-1175-48FB-BE05-BE0C19E9EBE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p34:*:*:*:*:*:*",
              "matchCriteriaId": "89B3EF32-B474-44DB-AE30-CD308CDC5A77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p35:*:*:*:*:*:*",
              "matchCriteriaId": "A9ECCB00-F3F4-4EB7-9FD0-4CB64678B129",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p36:*:*:*:*:*:*",
              "matchCriteriaId": "37739F7A-490F-42A8-B97D-D09A3EDB85DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p37:*:*:*:*:*:*",
              "matchCriteriaId": "518662DA-C0F3-4875-86D7-5ED2B2496CC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p38:*:*:*:*:*:*",
              "matchCriteriaId": "64B28BE5-F35D-4AB0-A321-CEAE21BC26FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p39:*:*:*:*:*:*",
              "matchCriteriaId": "9DFBABD6-70F2-4E3B-A9C0-82DE76D48542",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*",
              "matchCriteriaId": "BB3C28CA-4C22-423E-B1C7-CBAFBB91F4DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p40:*:*:*:*:*:*",
              "matchCriteriaId": "0D2D6DBD-560A-4F8E-B2CC-67A564C460A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p41:*:*:*:*:*:*",
              "matchCriteriaId": "BFBC20F8-7F50-4D9D-8442-3397DED4B18B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p42:*:*:*:*:*:*",
              "matchCriteriaId": "D175FCA2-F902-4470-BFF6-5EC2F31BB06D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p43:*:*:*:*:*:*",
              "matchCriteriaId": "5516ED19-5648-4BC8-A9C2-6EE41B1794C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p44:*:*:*:*:*:*",
              "matchCriteriaId": "28D5F229-EE33-42C4-A26D-23BC760720A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p45:*:*:*:*:*:*",
              "matchCriteriaId": "A00BE897-F462-4193-BF51-4381B04C076B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*",
              "matchCriteriaId": "A9A1314A-20C8-42D7-9387-D914999EEAF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*",
              "matchCriteriaId": "CEF091C5-8DC6-4A41-9E84-F53BE703F71B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*",
              "matchCriteriaId": "ACD65C28-9716-4073-8613-C4AF12684760",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*",
              "matchCriteriaId": "2C58AFFF-848F-490D-A95C-03A267C2DC98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*",
              "matchCriteriaId": "B62DC188-89A8-4AEA-90AE-563F0BBEFC54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
              "matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
              "matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
              "matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
              "matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
              "matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
              "matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
              "matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
              "matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
              "matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
              "matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
              "matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
              "matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
              "matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
              "matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
              "matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
              "matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
              "matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
              "matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C936B30B-C717-442B-8656-CF9EE3FC7C10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing the injection and execution of arbitrary JavaScript within a victim\u0027s session."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) hasta la versi\u00f3n v10.1. Existe una vulnerabilidad de cross site scripting (XSS) en uno de los endpoints de Zimbra Webmail debido a una desinfecci\u00f3n insuficiente del par\u00e1metro packages. Los atacantes pueden eludir las comprobaciones existentes mediante el uso de caracteres codificados, lo que permite la inyecci\u00f3n y ejecuci\u00f3n de JavaScript arbitrario dentro de la sesi\u00f3n de una v\u00edctima."
    }
  ],
  "id": "CVE-2024-45514",
  "lastModified": "2025-06-11T21:17:14.553",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-21T16:15:25.820",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

CVE-2025-48700 (GCVE-0-2025-48700)

Vulnerability from cvelistv5 – Published: 2025-06-23 00:00 – Updated: 2025-06-24 15:57
VLAI?
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-48700",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-24T13:48:27.203210Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-24T15:57:02.569Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-23T14:39:26.986Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-48700",
    "datePublished": "2025-06-23T00:00:00.000Z",
    "dateReserved": "2025-05-23T00:00:00.000Z",
    "dateUpdated": "2025-06-24T15:57:02.569Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45516 (GCVE-0-2024-45516)

Vulnerability from cvelistv5 – Published: 2025-05-14 00:00 – Updated: 2025-05-19 14:25
VLAI?
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45516",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-19T14:24:53.673415Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-19T14:25:22.301Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed \u003cimg\u003e tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-15T15:26:34.067Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45516",
    "datePublished": "2025-05-14T00:00:00.000Z",
    "dateReserved": "2024-09-01T00:00:00.000Z",
    "dateUpdated": "2025-05-19T14:25:22.301Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32354 (GCVE-0-2025-32354)

Vulnerability from cvelistv5 – Published: 2025-04-29 00:00 – Updated: 2025-05-06 15:34
VLAI?
Summary
In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-32354",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T15:34:18.525503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-352",
                "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T15:34:54.669Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-29T15:35:30.796Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-32354",
    "datePublished": "2025-04-29T00:00:00.000Z",
    "dateReserved": "2025-04-05T00:00:00.000Z",
    "dateUpdated": "2025-05-06T15:34:54.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27915 (GCVE-0-2025-27915)

Vulnerability from cvelistv5 – Published: 2025-03-12 00:00 – Updated: 2025-10-21 22:55
VLAI?
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27915",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-07T03:55:56.855156Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-10-07",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:23.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "url": "https://strikeready.com/blog/0day-ics-attack-in-the-wild/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-10-07T00:00:00+00:00",
            "value": "CVE-2025-27915 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a \u003cdetails\u003e tag. This allows an attacker to run arbitrary JavaScript within the victim\u0027s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim\u0027s account, including e-mail redirection and data exfiltration."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-12T14:31:38.012Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27915",
    "datePublished": "2025-03-12T00:00:00.000Z",
    "dateReserved": "2025-03-10T00:00:00.000Z",
    "dateUpdated": "2025-10-21T22:55:23.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-25064 (GCVE-0-2025-25064)

Vulnerability from cvelistv5 – Published: 2025-02-03 00:00 – Updated: 2025-03-14 17:22
VLAI?
Summary
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-25064",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T04:55:28.277127Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-89",
                "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-14T17:22:58.099Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-06T20:02:26.403Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-25064",
    "datePublished": "2025-02-03T00:00:00.000Z",
    "dateReserved": "2025-02-03T00:00:00.000Z",
    "dateUpdated": "2025-03-14T17:22:58.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-25065 (GCVE-0-2025-25065)

Vulnerability from cvelistv5 – Published: 2025-02-03 00:00 – Updated: 2025-03-13 20:47
VLAI?
Summary
SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-25065",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T15:47:23.467273Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-13T20:47:30.615Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-03T19:26:08.750Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P43#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-25065",
    "datePublished": "2025-02-03T00:00:00.000Z",
    "dateReserved": "2025-02-03T00:00:00.000Z",
    "dateUpdated": "2025-03-13T20:47:30.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-54663 (GCVE-0-2024-54663)

Vulnerability from cvelistv5 – Published: 2024-12-19 00:00 – Updated: 2024-12-31 19:05
VLAI?
Summary
An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-54663",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-31T19:03:09.242513Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-829",
                "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-31T19:05:36.462Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T22:10:53.955634",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.3#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-54663",
    "datePublished": "2024-12-19T00:00:00",
    "dateReserved": "2024-12-04T00:00:00",
    "dateUpdated": "2024-12-31T19:05:36.462Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45517 (GCVE-0-2024-45517)

Vulnerability from cvelistv5 – Published: 2024-11-21 00:00 – Updated: 2024-11-21 18:11
VLAI?
Summary
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45517",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-21T18:05:12.611671Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-21T18:11:27.846Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim\u0027s session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-21T16:52:41.468011",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45517",
    "datePublished": "2024-11-21T00:00:00",
    "dateReserved": "2024-09-01T00:00:00",
    "dateUpdated": "2024-11-21T18:11:27.846Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45512 (GCVE-0-2024-45512)

Vulnerability from cvelistv5 – Published: 2024-11-21 00:00 – Updated: 2024-11-21 18:11
VLAI?
Summary
An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim's session.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45512",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-21T18:05:19.974636Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-21T18:11:28.172Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim\u0027s session."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-21T16:06:25.718736",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45512",
    "datePublished": "2024-11-21T00:00:00",
    "dateReserved": "2024-09-01T00:00:00",
    "dateUpdated": "2024-11-21T18:11:28.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-48700 (GCVE-0-2025-48700)

Vulnerability from nvd – Published: 2025-06-23 00:00 – Updated: 2025-06-24 15:57
VLAI?
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-48700",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-24T13:48:27.203210Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-24T15:57:02.569Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-23T14:39:26.986Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-48700",
    "datePublished": "2025-06-23T00:00:00.000Z",
    "dateReserved": "2025-05-23T00:00:00.000Z",
    "dateUpdated": "2025-06-24T15:57:02.569Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45516 (GCVE-0-2024-45516)

Vulnerability from nvd – Published: 2025-05-14 00:00 – Updated: 2025-05-19 14:25
VLAI?
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45516",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-19T14:24:53.673415Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-19T14:25:22.301Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed \u003cimg\u003e tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-15T15:26:34.067Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45516",
    "datePublished": "2025-05-14T00:00:00.000Z",
    "dateReserved": "2024-09-01T00:00:00.000Z",
    "dateUpdated": "2025-05-19T14:25:22.301Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32354 (GCVE-0-2025-32354)

Vulnerability from nvd – Published: 2025-04-29 00:00 – Updated: 2025-05-06 15:34
VLAI?
Summary
In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-32354",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T15:34:18.525503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-352",
                "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T15:34:54.669Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-29T15:35:30.796Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-32354",
    "datePublished": "2025-04-29T00:00:00.000Z",
    "dateReserved": "2025-04-05T00:00:00.000Z",
    "dateUpdated": "2025-05-06T15:34:54.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27915 (GCVE-0-2025-27915)

Vulnerability from nvd – Published: 2025-03-12 00:00 – Updated: 2025-10-21 22:55
VLAI?
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27915",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-07T03:55:56.855156Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-10-07",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:23.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "url": "https://strikeready.com/blog/0day-ics-attack-in-the-wild/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-10-07T00:00:00+00:00",
            "value": "CVE-2025-27915 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a \u003cdetails\u003e tag. This allows an attacker to run arbitrary JavaScript within the victim\u0027s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim\u0027s account, including e-mail redirection and data exfiltration."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-12T14:31:38.012Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27915",
    "datePublished": "2025-03-12T00:00:00.000Z",
    "dateReserved": "2025-03-10T00:00:00.000Z",
    "dateUpdated": "2025-10-21T22:55:23.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-25064 (GCVE-0-2025-25064)

Vulnerability from nvd – Published: 2025-02-03 00:00 – Updated: 2025-03-14 17:22
VLAI?
Summary
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-25064",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T04:55:28.277127Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-89",
                "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-14T17:22:58.099Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-06T20:02:26.403Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-25064",
    "datePublished": "2025-02-03T00:00:00.000Z",
    "dateReserved": "2025-02-03T00:00:00.000Z",
    "dateUpdated": "2025-03-14T17:22:58.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-25065 (GCVE-0-2025-25065)

Vulnerability from nvd – Published: 2025-02-03 00:00 – Updated: 2025-03-13 20:47
VLAI?
Summary
SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-25065",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T15:47:23.467273Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-13T20:47:30.615Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-03T19:26:08.750Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P43#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-25065",
    "datePublished": "2025-02-03T00:00:00.000Z",
    "dateReserved": "2025-02-03T00:00:00.000Z",
    "dateUpdated": "2025-03-13T20:47:30.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-54663 (GCVE-0-2024-54663)

Vulnerability from nvd – Published: 2024-12-19 00:00 – Updated: 2024-12-31 19:05
VLAI?
Summary
An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-54663",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-31T19:03:09.242513Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-829",
                "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-31T19:05:36.462Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T22:10:53.955634",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.3#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-54663",
    "datePublished": "2024-12-19T00:00:00",
    "dateReserved": "2024-12-04T00:00:00",
    "dateUpdated": "2024-12-31T19:05:36.462Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45517 (GCVE-0-2024-45517)

Vulnerability from nvd – Published: 2024-11-21 00:00 – Updated: 2024-11-21 18:11
VLAI?
Summary
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45517",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-21T18:05:12.611671Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-21T18:11:27.846Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim\u0027s session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-21T16:52:41.468011",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45517",
    "datePublished": "2024-11-21T00:00:00",
    "dateReserved": "2024-09-01T00:00:00",
    "dateUpdated": "2024-11-21T18:11:27.846Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45512 (GCVE-0-2024-45512)

Vulnerability from nvd – Published: 2024-11-21 00:00 – Updated: 2024-11-21 18:11
VLAI?
Summary
An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim's session.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45512",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-21T18:05:19.974636Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-21T18:11:28.172Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim\u0027s session."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-21T16:06:25.718736",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
        },
        {
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45512",
    "datePublished": "2024-11-21T00:00:00",
    "dateReserved": "2024-09-01T00:00:00",
    "dateUpdated": "2024-11-21T18:11:28.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}