63 matches found
CVE-2022-41352
CVE-2022-41352 affects Zimbra Collaboration (ZCS) 8.8.15 and 9.0. The issue arises from an amavis/cpio handling path traversal that can cause arbitrary file writes to /opt/zimbra/jetty/webapps/zimbra/public, enabling unauthorized access to other user accounts. Public details confirm the root caus...
CVE-2022-37042
Zimbra Collaboration Suite ZCS 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication i.e., not having an authtoken, an attacker can upload arbitrary files to the system, leading to directory traversal and remote code...
CVE-2022-37044
Affected software: Zimbra Collaboration Suite (ZCS) 8.8.15. Vulnerability: Reflected XSS in the /h/search?action endpoint, where parameters extra, title, and onload are partially sanitized. This can allow execution of arbitrary JavaScript in the victim’s browser. Impact: Client-side script execut...
CVE-2022-37043
CVE-2022-37043 affects Zimbra Collaboration Suite webmail (ZCS) 8.8.15 and 9.0.0. The issue is a preauth CSRF flaw where CSRF tokens are not checked on certain POST endpoints, allowing an authenticated user viewing an attacker‑controlled page to cause the application to process requests that appe...
CVE-2022-37042
CVE-2022-37042 affects Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The vulnerability arises in the mboximport endpoint that accepts a ZIP archive; when an attacker bypasses authentication (no authtoken), they can upload arbitrary files, causing directory traversal and remote code execution. ...
CVE-2022-27926
Zimbra Collaboration (ZCS) 9.0 is affected by a reflected XSS in /public/launchNewWindow.jsp that allows unauthenticated attackers to execute arbitrary script or HTML via request parameters. The issue is confirmed across multiple sources (NVD/Nuclei/CISA KEV/CNVD) with the impact described as cli...
CVE-2022-27925
CVE-2022-27925 affects Zimbra Collaboration Suite 8.8.15 and 9.0, where mboximport accepts a ZIP and extracts files. An authenticated administrator can upload arbitrary files, enabling directory traversal. Public PoCs/exploits in connected docs demonstrate path traversal behavior and indicate aff...
CVE-2022-27924
CVE-2022-27924 affects Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0, allowing an unauthenticated attacker to inject arbitrary memcache commands into a targeted ZCS instance, with those commands becoming unescaped and enabling overwriting of arbitrary cached entries and extraction of credential...
CVE-2020-7796
Zimbra Collaboration Suite ZCS before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled...
CVE-2020-8633
CVE-2020-8633 affects Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7. The issue arises when grantors revoke a shared calendar in Outlook: the calendar remains mounted and accessible instead of being properly revoked. Public sources in connected documents confirm this behavior and link to ...
CVE-2018-14425
There is a Persistent XSS vulnerability in the briefcase component of Synacor Zimbra Collaboration Suite ZCS Zimbra Web Client ZWC 8.8.8 before 8.8.8 Patch 7 and 8.8.9 before 8.8.9 Patch 1...
CVE-2018-14425
CVE-2018-14425 concerns a Persistent XSS vulnerability in the Zimbra Web Client’s briefcase component within Zimbra Collaboration Suite (ZCS). Affected versions are ZCS/ZWC 8.8.8 prior to Patch 7 and 8.8.9 prior to Patch 1. The root cause is improper handling/validation of client-side data in the...
CVE-2018-6882
Zimbra Collaboration Suite (ZCS) is affected by an XSS in ZmMailMsgView.getAttachmentLinkHtml. The vulnerability exists in ZCS before 8.7 Patch 1 and 8.8.x before 8.8.7, allowing remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment. Affected...
Cross site scripting
Synacor Zimbra Collaboration Suite ZCS before 8.7.10 has Persistent XSS...
CVE-2017-17703
Synacor Zimbra Collaboration Suite ZCS before 8.8.3 has Persistent XSS...
CVE-2017-17703
CVE-2017-17703 affects Synacor Zimbra Collaboration Suite (ZCS) before version 8.8.3, with a persistent cross-site scripting (XSS) vulnerability. The issue is documented across multiple sources (NVD entry for CVE-2017-17703, OpenVAS note, CNVD entry) and is described as a persistent XSS in ZCS pr...
CVE-2017-8783
CVE-2017-8783: Zimbra Collaboration Suite (ZCS) before 8.7.10 is vulnerable to a persistent cross-site scripting (XSS) vulnerability. The issue is documented across multiple feeds (NVD, OpenVAS) as affecting Zimbra WebMail/Calendar/Address Book components before version 8.7.10. The connected docu...
CVE-2017-8802
CVE-2017-8802 affects Zimbra Collaboration Suite (ZCS) prior to 8.8.0 Beta2. The issue is a cross-site scripting (XSS) vulnerability in the Show Snippet functionality, allowing an attacker to inject arbitrary web script or HTML in the authenticated Zimbra web UI. Root cause: improper handling of ...
CVE-2017-6821
Summary (CVE-2017-6821) : Zimbra Collaboration Suite (ZCS) contains a directory traversal vulnerability in versions before 8.7.6. The CVE entry cites an unspecified impact via unknown vectors. Public-connected data confirms the issue in ZCS prior to 8.7.6 and aligns with multiple CVE references. ...
CVE-2017-7288
CVE-2017-7288 affects Zimbra Collaboration Suite (ZCS) before 8.7.1, allowing remote XSS via unspecified vectors. Impact: injection of arbitrary web script/HTML in a user’s browser. Affected component: ZCS web interface; root cause: XSS vulnerability in versions prior to 8.7.1. Remediation: upgra...