Design/Logic Flaw

2018-05-1001:29:00

PRIOn knowledge base

www.prio-n.com

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.4%

JSON

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the “HTTP 404 - account is not active” and “HTTP 401 - must authenticate” errors.

CPENameOperatorVersion
zimbra_collaboration_suiteeq8.6.0
zimbra_collaboration_suitege8.7.0
zimbra_collaboration_suitele8.7.11
zimbra_collaboration_suitege8.8
zimbra_collaboration_suitelt8.8.8

Name	Operator	Version
zimbra_collaboration_suite	eq	8.6.0
zimbra_collaboration_suite	ge	8.7.0
zimbra_collaboration_suite	le	8.7.11
zimbra_collaboration_suite	ge	8.8
zimbra_collaboration_suite	lt	8.8.8

References

bugzilla.zimbra.com/show_bug.cgi?id=108962