CVE-2026-33368

Zimbra Collaboration Suite ZCS 10.0 and 10.1 contains a reflected cross-site scripting XSS vulnerability in the Classic Webmail REST interface /h/rest. The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafte...

Zimbra Collaboration - Local File Inclusion

Zimbra Collaboration ZCS 10.0 and 10.1 contain a local file inclusion caused by improper handling of user-supplied parameters in the RestFilter servlet, letting unauthenticated remote attackers include arbitrary files from WebRoot, exploit requires crafted requests to /h/rest endpoint. id:...

EUVD-2023-38292

Malicious code in bioql PyPI...

CVE-2023-34193

File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obtain sensitive information via the ClientUploader function...

CVE-2023-34192

Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function...

CVE-2023-45206

An issue was discovered in Zimbra Collaboration ZCS 8.8.15, 9.0, and 10.0. Through the help document endpoint in webmail, an attacker can inject JavaScript or HTML code that leads to cross-site scripting XSS. Adding an adequate message to avoid malicious code will mitigate this issue...

CVE-2023-26562

In Zimbra Collaboration (ZCS) versions 8.8.15–9.0, a closed account (with 2FA and a generated password) can send email when Imap/smtp is configured. Red Hat and other connected sources describe a root cause related to insufficient account-status checks for 2FA accounts, enabling mail sending desp...

CVE-2023-45206

Consolidated details for CVE-2023-45206 show a Zimbra Collaboration (ZCS) XSS vulnerability affecting versions 8.8.15, 9.0, and 10.0. The attack vector is via the help document endpoint in webmail, where an attacker can inject JavaScript/HTML, enabling cross-site scripting. The confirmed root cau...

CVE-2023-43102

CVE-2023-43102 affects Zimbra Collaboration (ZCS) before 10.0.4. An XSS flaw could be exploited to access the mailbox of an authenticated user. This is fixed in ZCS 8.8.15 Patch 43 and 9.0.0 Patch 36 ; remediation is to upgrade to 10.0.4+ or apply the corresponding patches.

CVE-2023-43103

Summary of CVE-2023-43103 (Zimbra Collaboration) Affects Zimbra Collaboration (ZCS) web endpoint. The vulnerability is a cross-site scripting (XSS) flaw caused by an unsanitized parameter in the web interface. Reported as present in ZCS versions prior to 10.0.4, with fixes applied in versions 8.8...

CVE-2023-41106

CVE-2023-41106 affects Zimbra Collaboration (ZCS) prior to 10.0.3. An unauthenticated attacker could gain access to a Zimbra account. The issue is fixed in 10.0.3 and also in 9.0.0 Patch 35 and 8.8.15 Patch 42. Remediation is to upgrade to a fixed release (10.0.3+ or corresponding patched lines)....

CVE-2023-37580

Zimbra Collaboration ZCS 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client...

CVE-2023-38750

CVE-2023-38750 affects Zimbra Collaboration (ZCS) versions 8.x up to 8.8.15 Patch 41, 9.x up to 9.0.0 Patch 34, and 10.x up to 10.0.2, where internal JSP/XML files can be exposed (information disclosure). The vulnerability is linked to exposure of internal JSP and XML files and has been described...

CVE-2023-37580

CVE-2023-37580 – Zimbra Collaboration Suite (ZCS) XSS : The Nuclei template confirms a Cross-Site Scripting vulnerability in ZCS 8.x before 8.8.15 Patch 41, specifically in the Zimbra Classic Web Client. Impact described in the connected doc: successful exploitation could execute arbitrary script...

Zimbra issues awaited patch for actively exploited vulnerability

Two weeks ago, we urged readers to apply a workaround for an actively exploited vulnerability in Zimbra Collaboration Suite ZCS email servers. Zimbra has released ZCS 10.0.2 that fixes two security issues, including the known bug that could lead to exposure of internal JSP and XML files. Zimbra i...

PT-2023-4007

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration ZCS versions 8.0.0 through 8.8.15 Patch 40 Zimbra Collaboration ZCS versions prior to 8.8.15 Patch 41 Description The issue is related to a Cross-Site Scripting XSS vulnerability in the Zimbra Classic Web Client. This...

CVE-2023-34192

Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function...

CVE-2023-34193

File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obtain sensitive information via the ClientUploader function...

Cross site scripting

Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function...

Unrestricted file upload

File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obtain sensitive information via the ClientUploader function...