Vulnerability-Lookup

CVE-2022-27925 (GCVE-0-2022-27925)

Vulnerability from cvelistv5 – Published: 2022-04-20 23:23 – Updated: 2025-10-21 23:15

CISA KEV

Summary

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

Severity

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

4 references

URL	Tags
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories	x_refsource_MISC
https://wiki.zimbra.com/wiki/Security_Center	x_refsource_MISC
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24	x_refsource_MISC
http://packetstormsecurity.com/files/168146/Zimbr…	x_refsource_MISC

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 0647d977-365d-4d49-9ed9-647141648903

Vulnerability ID: CVE-2022-27925

Status: Confirmed

Status Updated: 2022-08-11 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2022-08-11

Asserted: 2022-08-11

Scope

Notes: KEV entry: Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability | Affected: Synacor / Zimbra Collaboration Suite (ZCS) | Description: Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution. | Required action: Apply updates per vendor instructions. | Due date: 2022-09-01 | Known ransomware campaign use (KEV): Known | Notes (KEV): https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/; https://nvd.nist.gov/vuln/detail/CVE-2022-27925

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-22
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	Zimbra Collaboration Suite (ZCS)
Due Date	2022-09-01
Date Added	2022-08-11
Vendorproject	Synacor
Vulnerabilityname	Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Knownransomwarecampaignuse	Known

References

CVE-2022-27925

Created: 2026-02-02 12:27 UTC | Updated: 2026-02-06 07:17 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:41:10.911Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.zimbra.com/wiki/Security_Center"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-27925",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-29T16:29:10.863360Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-08-11",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27925"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:41.071Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27925"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-08-11T00:00:00.000Z",
            "value": "CVE-2022-27925 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-24T14:06:17.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.zimbra.com/wiki/Security_Center"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-27925",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
              "refsource": "MISC",
              "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
            },
            {
              "name": "https://wiki.zimbra.com/wiki/Security_Center",
              "refsource": "MISC",
              "url": "https://wiki.zimbra.com/wiki/Security_Center"
            },
            {
              "name": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24",
              "refsource": "MISC",
              "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24"
            },
            {
              "name": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-27925",
    "datePublished": "2022-04-20T23:23:25.000Z",
    "dateReserved": "2022-03-25T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:41.071Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2022-27925",
      "cwes": "[\"CWE-22\"]",
      "dateAdded": "2022-08-11",
      "dueDate": "2022-09-01",
      "knownRansomwareCampaignUse": "Known",
      "notes": "https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/;  https://nvd.nist.gov/vuln/detail/CVE-2022-27925",
      "product": "Zimbra Collaboration Suite (ZCS)",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.",
      "vendorProject": "Synacor",
      "vulnerabilityName": "Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability"
    },
    "epss": {
      "cve": "CVE-2022-27925",
      "date": "2026-05-28",
      "epss": "0.9431",
      "percentile": "0.9995"
    },
    "fkie_nvd": {
      "cisaActionDue": "2022-09-01",
      "cisaExploitAdd": "2022-08-11",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"1B17C1A7-0F0A-4E7C-8C0C-0BBB0BF66C82\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"685D9652-2934-4C13-8B36-40582C79BFC1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.\"}, {\"lang\": \"es\", \"value\": \"Zimbra Collaboration (tambi\\u00e9n se conoce como ZCS) versiones 8.8.15 y 9.0, presenta la funcionalidad mboximport que recibe un archivo ZIP y extrae archivos de \\u00e9l. Un usuario autenticado con derechos de administrador presenta la capacidad de cargar archivos arbitrarios en el sistema, conllevando a un salto de directorio\"}]",
      "id": "CVE-2022-27925",
      "lastModified": "2024-11-21T06:56:28.473",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-04-21T00:15:08.407",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Security_Center\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\", \"source\": \"cve@mitre.org\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Security_Center\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-27925\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-04-21T00:15:08.407\",\"lastModified\":\"2025-10-31T18:41:40.483\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.\"},{\"lang\":\"es\",\"value\":\"Zimbra Collaboration (tambi\u00e9n se conoce como ZCS) versiones 8.8.15 y 9.0, presenta la funcionalidad mboximport que recibe un archivo ZIP y extrae archivos de \u00e9l. Un usuario autenticado con derechos de administrador presenta la capacidad de cargar archivos arbitrarios en el sistema, conllevando a un salto de directorio\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-08-11\",\"cisaActionDue\":\"2022-09-01\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E39A855-C0EB-4448-AE96-177757C40C66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FFE7BE6E-7A9A-40C7-B236-7A21103E9F41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5924FFC-BA19-48B3-BF4D-0C2DB3FCD407\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*\",\"matchCriteriaId\":\"7822D273-C2CB-4EFE-B929-3D34C65E005E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*\",\"matchCriteriaId\":\"F81528E8-FE3A-4C48-A747-34A3FF28BCAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*\",\"matchCriteriaId\":\"D772D4BA-9ED6-492C-A0D3-0AF4F3D49037\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2A468FE-B59B-4CE9-B9B2-C836EEAFA3E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*\",\"matchCriteriaId\":\"04BECDE0-F082-49FB-ACA2-5C808902AA17\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*\",\"matchCriteriaId\":\"56558FD4-4391-4199-BA6B-B53F5DC30144\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*\",\"matchCriteriaId\":\"69A530D3-B84E-427B-BC92-64BBFEF331BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C0DCE7F-85A4-44C6-88C8-380B0BBBFA7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*\",\"matchCriteriaId\":\"180AF8B6-55AE-460C-B613-37FB697B5325\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FCB5528-70FD-4525-A78B-D5537609331A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*\",\"matchCriteriaId\":\"34B07279-A26A-4EB1-8B33-885AD854018B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*\",\"matchCriteriaId\":\"97402ADA-AB05-4A92-920D-EA5363424FDF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*\",\"matchCriteriaId\":\"697A1D34-FF0C-4F9E-8E91-34404A366D70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*\",\"matchCriteriaId\":\"9030D096-87A1-4AFF-BB7C-CE71990005B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*\",\"matchCriteriaId\":\"F211A8B1-E33E-49BE-9C18-31B1902EB4FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*\",\"matchCriteriaId\":\"4152CEA2-9DC1-4567-BAB3-9C36F74F77EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BC02B35-7FC4-41AB-8D2E-2CD1896D84C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*\",\"matchCriteriaId\":\"0294CB8B-B0AF-4A5C-B6B2-33F5BFFFBD4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*\",\"matchCriteriaId\":\"968A75B4-6D23-4B83-A8B5-777D8F151E04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E11BC24-56A3-4CAB-B0B2-D2430CD80767\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF2EE32D-04A5-46EA-92F0-3C8D74A4B82A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*\",\"matchCriteriaId\":\"50FB0099-0495-4735-9398-7F7E657F459B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB3C28CA-4C22-423E-B1C7-CBAFBB91F4DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"A9A1314A-20C8-42D7-9387-D914999EEAF6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"CEF091C5-8DC6-4A41-9E84-F53BE703F71B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*\",\"matchCriteriaId\":\"ACD65C28-9716-4073-8613-C4AF12684760\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*\",\"matchCriteriaId\":\"2C58AFFF-848F-490D-A95C-03A267C2DC98\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*\",\"matchCriteriaId\":\"B62DC188-89A8-4AEA-90AE-563F0BBEFC54\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"32AFCE22-5ADA-4FF7-A165-5EC12B325DEF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3577FE6-F1F4-4555-8D27-84D6DE731EA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*\",\"matchCriteriaId\":\"931BD98E-1A5F-4634-945B-BDD7D2FAA8B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E7C0A57-A887-4D29-B601-4275313F46B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*\",\"matchCriteriaId\":\"B7248B91-D136-4DD5-A631-737E4C220A02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*\",\"matchCriteriaId\":\"494F6FD4-36ED-4E40-8336-7F077FA80FA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*\",\"matchCriteriaId\":\"9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0648498-2EE5-4B68-8360-ED5914285356\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*\",\"matchCriteriaId\":\"24282FF8-548B-415B-95CA-1EFD404D21D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*\",\"matchCriteriaId\":\"ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*\",\"matchCriteriaId\":\"019AFC34-289E-4A01-B08B-A5807F7F909A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7E7B3976-DA6F-4285-93E6-2328006F7F4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*\",\"matchCriteriaId\":\"062E586F-0E02-45A6-93AD-895048FC2D4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*\",\"matchCriteriaId\":\"3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADF51BCA-37DD-4642-B201-74A6D1A545FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*\",\"matchCriteriaId\":\"39611F3D-A898-4C35-8915-3334CDFB78E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA310AFA-492D-4A6C-A7F6-740E82CB6E57\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AF337B5-B296-449B-8848-7636EC7C46C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"52232ACA-C158-48C8-A0DB-7689040CB8FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B4D0040-86D0-46C3-8A9A-3DD12138B9ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2BB9BC7-078D-4E08-88E4-9432D74CA9BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*\",\"matchCriteriaId\":\"F04D4B77-D386-4BC8-8169-9846693F6F11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*\",\"matchCriteriaId\":\"992370FA-F171-4FB3-9C1C-58AC37038CE4\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Security_Center\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Security_Center\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27925\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Security_Center\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T05:41:10.911Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-27925\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-29T16:29:10.863360Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-08-11\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27925\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-08-11T00:00:00.000Z\", \"value\": \"CVE-2022-27925 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27925\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-29T16:26:45.285Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Security_Center\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2022-08-24T14:06:17.000Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"n/a\"}]}, \"product_name\": \"n/a\"}]}, \"vendor_name\": \"n/a\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\", \"name\": \"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\", \"refsource\": \"MISC\"}, {\"url\": \"https://wiki.zimbra.com/wiki/Security_Center\", \"name\": \"https://wiki.zimbra.com/wiki/Security_Center\", \"refsource\": \"MISC\"}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\", \"name\": \"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\", \"refsource\": \"MISC\"}, {\"url\": \"http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html\", \"name\": \"http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"n/a\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-27925\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"cve@mitre.org\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-27925\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:15:41.071Z\", \"dateReserved\": \"2022-03-25T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2022-04-20T23:23:25.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2022-AVI-291

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Zimbra. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Synacor	Zimbra Collaboration	Zimbra Collaboration Joule versions antérieures à 8.8.15 Patch 31
	Synacor	Zimbra Collaboration	Zimbra Collaboration Kepler versions antérieures à 9.0.0 Patch 24

References

Title

Publication Time

CERTFR-2022-AVI-291

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Synacor	Zimbra Collaboration	Zimbra Collaboration Joule versions antérieures à 8.8.15 Patch 31
	Synacor	Zimbra Collaboration	Zimbra Collaboration Kepler versions antérieures à 9.0.0 Patch 24

References

Title

Publication Time

BDU:2022-05086

Vulnerability from fstec - Published: 27.12.2021

Title

Уязвимость функции mboximport корпоративной системы управления электронной почтой Zimbra Collaboration Suite (ZCS), позволяющая нарушителю загрузить произвольные файлы в систему

Description

Уязвимость функции mboximport корпоративной системы управления электронной почтой Zimbra Collaboration Suite (ZCS) связана с неограниченной загрузкой файлов опасного типа. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, загрузить произвольные файлы в систему

Severity


                    
                      AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Vendor

Zimbra Inc.

Software Name

Zimbra Collaboration Suite

Software Version

до 9.0.0 P24 (Zimbra Collaboration Suite)

Possible Mitigations

Использование рекомендаций: https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24

Reference

https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv

CWE

CWE-434

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:P/I:N/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Zimbra Inc.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 9.0.0 P24 (Zimbra Collaboration Suite)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "27.12.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "24.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "18.08.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-05086",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-27925",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Zimbra Collaboration Suite",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 mboximport \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043f\u043e\u0447\u0442\u043e\u0439 Zimbra Collaboration Suite (ZCS), \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0437\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u0430\u044f \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0430 \u0444\u0430\u0439\u043b\u043e\u0432 \u043e\u043f\u0430\u0441\u043d\u043e\u0433\u043e \u0442\u0438\u043f\u0430 (CWE-434)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 mboximport \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043f\u043e\u0447\u0442\u043e\u0439 Zimbra Collaboration Suite (ZCS) \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u043e\u0439 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u043e\u0439 \u0444\u0430\u0439\u043b\u043e\u0432 \u043e\u043f\u0430\u0441\u043d\u043e\u0433\u043e \u0442\u0438\u043f\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0437\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://wiki.zimbra.com/wiki/Security_Center\nhttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\nhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\nhttp://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html\nhttps://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-434",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,1)"
}

CNVD-2022-71402

Vulnerability from cnvd - Published: 2022-10-26

Title

Zimbra文件上传漏洞

Description

Zimbra是美国Zimbra公司的一套开源的电子邮件协作平台。 Zimbra Collaboration（又名 ZCS）8.8.15版本和9.0版本存在文件上传漏洞，该漏洞源于应用对上传的文件缺少有效的验证。具有管理员权限的经过身份验证的攻击者可利用该漏洞能够将任意文件上传到系统，从而导致远程代码执行。

Severity

中

Patch Name

Zimbra文件上传漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://wiki.zimbra.com/wiki/Security_Center

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-27925

Impacted products

Name
['Zimbra Zimbra Collaboration 8.8.15', 'Zimbra Zimbra Collaboration 9.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-27925",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-27925"
    }
  },
  "description": "Zimbra\u662f\u7f8e\u56fdZimbra\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u7535\u5b50\u90ae\u4ef6\u534f\u4f5c\u5e73\u53f0\u3002\n\nZimbra Collaboration\uff08\u53c8\u540d ZCS\uff098.8.15\u7248\u672c\u548c9.0\u7248\u672c\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u4e0a\u4f20\u7684\u6587\u4ef6\u7f3a\u5c11\u6709\u6548\u7684\u9a8c\u8bc1\u3002\u5177\u6709\u7ba1\u7406\u5458\u6743\u9650\u7684\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u80fd\u591f\u5c06\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u5230\u7cfb\u7edf\uff0c\u4ece\u800c\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wiki.zimbra.com/wiki/Security_Center",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-71402",
  "openTime": "2022-10-26",
  "patchDescription": "Zimbra\u662f\u7f8e\u56fdZimbra\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u7535\u5b50\u90ae\u4ef6\u534f\u4f5c\u5e73\u53f0\u3002\r\n\r\nZimbra Collaboration\uff08\u53c8\u540d ZCS\uff098.8.15\u7248\u672c\u548c9.0\u7248\u672c\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u4e0a\u4f20\u7684\u6587\u4ef6\u7f3a\u5c11\u6709\u6548\u7684\u9a8c\u8bc1\u3002\u5177\u6709\u7ba1\u7406\u5458\u6743\u9650\u7684\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u80fd\u591f\u5c06\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u5230\u7cfb\u7edf\uff0c\u4ece\u800c\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Zimbra\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Zimbra Zimbra Collaboration 8.8.15",
      "Zimbra Zimbra Collaboration 9.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-27925",
  "serverity": "\u4e2d",
  "submitTime": "2022-04-22",
  "title": "Zimbra\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e"
}

FKIE_CVE-2022-27925

Vulnerability from fkie_nvd - Published: 2022-04-21 00:15 - Updated: 2025-10-31 18:41

CISA KEV

Severity

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html	Exploit, Third Party Advisory, VDB Entry
cve@mitre.org	https://wiki.zimbra.com/wiki/Security_Center	Vendor Advisory
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24	Release Notes, Vendor Advisory
cve@mitre.org	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://wiki.zimbra.com/wiki/Security_Center	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories	Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27925	US Government Resource

Impacted products

Vendor	Product	Version
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0

JSON

To clipboard

{
  "cisaActionDue": "2022-09-01",
  "cisaExploitAdd": "2022-08-11",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*",
              "matchCriteriaId": "9E39A855-C0EB-4448-AE96-177757C40C66",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*",
              "matchCriteriaId": "FFE7BE6E-7A9A-40C7-B236-7A21103E9F41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*",
              "matchCriteriaId": "B5924FFC-BA19-48B3-BF4D-0C2DB3FCD407",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*",
              "matchCriteriaId": "7822D273-C2CB-4EFE-B929-3D34C65E005E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*",
              "matchCriteriaId": "F81528E8-FE3A-4C48-A747-34A3FF28BCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*",
              "matchCriteriaId": "D772D4BA-9ED6-492C-A0D3-0AF4F3D49037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*",
              "matchCriteriaId": "C2A468FE-B59B-4CE9-B9B2-C836EEAFA3E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*",
              "matchCriteriaId": "04BECDE0-F082-49FB-ACA2-5C808902AA17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*",
              "matchCriteriaId": "56558FD4-4391-4199-BA6B-B53F5DC30144",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*",
              "matchCriteriaId": "69A530D3-B84E-427B-BC92-64BBFEF331BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*",
              "matchCriteriaId": "3C0DCE7F-85A4-44C6-88C8-380B0BBBFA7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*",
              "matchCriteriaId": "180AF8B6-55AE-460C-B613-37FB697B5325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*",
              "matchCriteriaId": "6FCB5528-70FD-4525-A78B-D5537609331A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*",
              "matchCriteriaId": "34B07279-A26A-4EB1-8B33-885AD854018B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*",
              "matchCriteriaId": "97402ADA-AB05-4A92-920D-EA5363424FDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*",
              "matchCriteriaId": "697A1D34-FF0C-4F9E-8E91-34404A366D70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*",
              "matchCriteriaId": "9030D096-87A1-4AFF-BB7C-CE71990005B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*",
              "matchCriteriaId": "F211A8B1-E33E-49BE-9C18-31B1902EB4FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*",
              "matchCriteriaId": "4152CEA2-9DC1-4567-BAB3-9C36F74F77EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*",
              "matchCriteriaId": "9BC02B35-7FC4-41AB-8D2E-2CD1896D84C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*",
              "matchCriteriaId": "0294CB8B-B0AF-4A5C-B6B2-33F5BFFFBD4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*",
              "matchCriteriaId": "968A75B4-6D23-4B83-A8B5-777D8F151E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*",
              "matchCriteriaId": "5E11BC24-56A3-4CAB-B0B2-D2430CD80767",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*",
              "matchCriteriaId": "EF2EE32D-04A5-46EA-92F0-3C8D74A4B82A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*",
              "matchCriteriaId": "50FB0099-0495-4735-9398-7F7E657F459B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*",
              "matchCriteriaId": "BB3C28CA-4C22-423E-B1C7-CBAFBB91F4DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*",
              "matchCriteriaId": "A9A1314A-20C8-42D7-9387-D914999EEAF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*",
              "matchCriteriaId": "CEF091C5-8DC6-4A41-9E84-F53BE703F71B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*",
              "matchCriteriaId": "ACD65C28-9716-4073-8613-C4AF12684760",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*",
              "matchCriteriaId": "2C58AFFF-848F-490D-A95C-03A267C2DC98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*",
              "matchCriteriaId": "B62DC188-89A8-4AEA-90AE-563F0BBEFC54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
              "matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
              "matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
              "matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
              "matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
              "matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
              "matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
              "matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
              "matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
              "matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
              "matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
              "matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
              "matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
              "matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal."
    },
    {
      "lang": "es",
      "value": "Zimbra Collaboration (tambi\u00e9n se conoce como ZCS) versiones 8.8.15 y 9.0, presenta la funcionalidad mboximport que recibe un archivo ZIP y extrae archivos de \u00e9l. Un usuario autenticado con derechos de administrador presenta la capacidad de cargar archivos arbitrarios en el sistema, conllevando a un salto de directorio"
    }
  ],
  "id": "CVE-2022-27925",
  "lastModified": "2025-10-31T18:41:40.483",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-04-21T00:15:08.407",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27925"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-J5R7-6RM3-99MM

Vulnerability from github – Published: 2022-04-22 00:00 – Updated: 2025-10-22 00:32

Details

Severity

7.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-27925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-21T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.",
  "id": "GHSA-j5r7-6rm3-99mm",
  "modified": "2025-10-22T00:32:32Z",
  "published": "2022-04-22T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27925"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27925"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2022-27925

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-27925

Aliases

CVE-2022-27925

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-27925",
    "description": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.",
    "id": "GSD-2022-27925"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-27925"
      ],
      "details": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.",
      "id": "GSD-2022-27925",
      "modified": "2023-12-13T01:19:41.433176Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2022-27925",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
            "refsource": "MISC",
            "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
          },
          {
            "name": "https://wiki.zimbra.com/wiki/Security_Center",
            "refsource": "MISC",
            "url": "https://wiki.zimbra.com/wiki/Security_Center"
          },
          {
            "name": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24",
            "refsource": "MISC",
            "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24"
          },
          {
            "name": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-27925"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-434"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
            },
            {
              "name": "https://wiki.zimbra.com/wiki/Security_Center",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.zimbra.com/wiki/Security_Center"
            },
            {
              "name": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24"
            },
            {
              "name": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-10-28T19:11Z",
      "publishedDate": "2022-04-21T00:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-27925 (GCVE-0-2022-27925)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

CERTFR-2022-AVI-291

Solution

CERTFR-2022-AVI-291

Solution

BDU:2022-05086

CNVD-2022-71402

FKIE_CVE-2022-27925

GHSA-J5R7-6RM3-99MM

GSD-2022-27925

Tags

Sightings

Nomenclature