Zimbra Collaboration Server 10.0.x < 10.0.18, 10.1.x < 10.1.13 Local File Inclusion

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(297134);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id("CVE-2025-68645");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2026/02/12");
  script_xref(name:"IAVA", value:"2026-A-0084-S");

  script_name(english:"Zimbra Collaboration Server 10.0.x < 10.0.18, 10.1.x < 10.1.13 Local File Inclusion");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a web application that is affected by a server side request forgery vulnerability.");
  script_set_attribute(attribute:"description", value:
"A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 
10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated 
remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing 
inclusion of arbitrary files from the WebRoot directory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18");
  script_set_attribute(attribute:"see_also", value:"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13");
  script_set_attribute(attribute:"see_also", value:"https://wiki.zimbra.com/wiki/Security_Center");
  script_set_attribute(attribute:"see_also", value:"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 10.0.18, 10.1.13 or later.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-68645");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/29");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:zimbra:collaboration_suite");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("zimbra_web_detect.nbin", "zimbra_nix_installed.nbin");
  script_require_keys("installed_sw/zimbra_zcs");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var app_info = vcf::zimbra::combined_get_app_info();

var constraints = [
  {'min_version':'10.0', 'fixed_version':'10.0.18'},
  {'min_version':'10.1', 'fixed_version':'10.1.13'}
];

vcf::zimbra::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);