Zimbra Collaboration Suite Security Vulnerabilities and Issues — Zimbra Collaboration Suite CVE List

Lucene search

SynacorZimbra Collaboration Suite

66 matches found

CVE•added 2019/05/29 10:29 p.m.•1387 views

CVE-2019-9670

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

9.8CVSS9.6AI score0.9443EPSS

CVE•added 2022/04/21 12:15 a.m.•1053 views

CVE-2022-27925

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

7.2CVSS7.2AI score0.94306EPSS

CVE•added 2018/03/27 4:29 p.m.•962 views

CVE-2018-6882

Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.

6.1CVSS6.1AI score0.65605EPSS

CVE•added 2025/02/03 8:15 p.m.•713 views

CVE-2025-25064

SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in th...

8.8CVSS9.7AI score0.24423EPSS

CVE•added 2025/02/03 8:15 p.m.•618 views

CVE-2025-25065

SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints.

5.3CVSS6.7AI score0.00143EPSS

CVE•added 2019/04/30 6:29 p.m.•298 views

CVE-2019-9621

Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.

7.5CVSS7.5AI score0.9179EPSS

CVE•added 2019/05/29 10:29 p.m.•185 views

CVE-2018-20160

ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.

9.8CVSS9.3AI score0.02666EPSS

CVE•added 2019/05/29 10:29 p.m.•183 views

CVE-2019-6980

Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component.

9.8CVSS9.4AI score0.45025EPSS

CVE•added 2019/05/29 10:29 p.m.•181 views

CVE-2018-18631

mailboxd component in Synacor Zimbra Collaboration Suite 8.6, 8.7 before 8.7.11 Patch 7, and 8.8 before 8.8.10 Patch 2 has Persistent XSS.

6.1CVSS6.2AI score0.01546EPSS

CVE•added 2019/05/29 10:29 p.m.•167 views

CVE-2019-6981

Zimbra Collaboration Suite 8.7.x through 8.8.11 allows Blind SSRF in the Feed component.

6.5CVSS6.4AI score0.00296EPSS

CVE•added 2019/05/29 10:29 p.m.•148 views

CVE-2018-14013

Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.

6.1CVSS6AI score0.39816EPSS

CVE•added 2013/12/13 6:7 p.m.•136 views

CVE-2013-7091

Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LD...

5CVSS9.3AI score0.91686EPSS

CVE•added 2017/01/18 10:59 p.m.•121 views

CVE-2016-3407

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 104222, 104910, 105071, and 105175.

6.1CVSS6.5AI score0.00441EPSS

CVE•added 2020/02/18 10:15 p.m.•89 views

CVE-2020-7796

Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.

9.8CVSS9.4AI score0.74934EPSS

CVE•added 2020/02/18 10:15 p.m.•68 views

CVE-2020-8633

An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7. When grantors revoked a shared calendar in Outlook, the calendar stayed mounted and accessible.

5.3CVSS5.2AI score0.00203EPSS

CVE•added 2020/06/03 5:15 p.m.•67 views

CVE-2020-12846

Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for ...

8CVSS8.2AI score0.13008EPSS

CVE•added 2017/01/18 10:59 p.m.•65 views

CVE-2016-3411

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 103609.

6.1CVSS6AI score0.13621EPSS

CVE•added 2022/10/17 11:15 p.m.•65 views

CVE-2022-3569

Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'.

7.8CVSS7.9AI score0.02478EPSS

CVE•added 2017/01/18 10:59 p.m.•64 views

CVE-2016-3413

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 103996.

7.5CVSS7.9AI score0.01241EPSS

CVE•added 2024/12/19 11:15 p.m.•63 views

CVE-2024-54663

An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requ...

7.5CVSS6.7AI score0.00067EPSS

CVE•added 2024/02/13 6:15 p.m.•62 views

CVE-2023-50808

Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Modern UI.

9.1CVSS7AI score0.00539EPSS

CVE•added 2025/04/29 4:15 p.m.•60 views

CVE-2025-32354

In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying...

8.8CVSS6.9AI score0.00024EPSS

CVE•added 2017/03/29 2:59 p.m.•53 views

CVE-2016-9924

Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks.

9.8CVSS9.4AI score0.01733EPSS

CVE•added 2017/05/23 4:29 a.m.•53 views

CVE-2017-6821

Directory traversal vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.7.6 allows attackers to have unspecified impact via unknown vectors.

9.8CVSS9.6AI score0.05007EPSS

CVE•added 2018/02/04 1:29 a.m.•52 views

CVE-2017-8783

Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.

5.4CVSS5.5AI score0.00786EPSS

CVE•added 2017/01/18 10:59 p.m.•49 views

CVE-2016-3415

Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.

9.1CVSS9.2AI score0.01467EPSS

CVE•added 2017/05/23 4:29 a.m.•49 views

CVE-2017-6813

A service provided by Zimbra Collaboration Suite (ZCS) before 8.7.6 fails to require needed privileges before performing a few requested operations.

9.8CVSS9.3AI score0.01653EPSS

CVE•added 2018/10/03 8:29 a.m.•49 views

CVE-2018-17938

Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value.

5.3CVSS5.2AI score0.00887EPSS

CVE•added 2013/09/23 8:55 p.m.•48 views

CVE-2013-5119

Zimbra Collaboration Suite (ZCS) 6.0.16 and earlier allows man-in-the-middle attackers to obtain access by sniffing the network and replaying the ZM_AUTH_TOKEN token.

6.8CVSS6.6AI score0.00528EPSS

CVE•added 2019/05/30 8:29 p.m.•48 views

CVE-2015-7609

Synacor Zimbra Mail Client 8.6 before 8.6.0 Patch 5 has XSS via the error/warning dialog and email body content in Zimbra.

6.1CVSS5.9AI score0.00781EPSS

CVE•added 2017/01/18 10:59 p.m.•48 views

CVE-2016-3401

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote authenticated users to affect integrity via unknown vectors, aka bug 99810.

6.5CVSS6.7AI score0.0071EPSS

CVE•added 2019/05/30 6:29 p.m.•48 views

CVE-2018-14425

There is a Persistent XSS vulnerability in the briefcase component of Synacor Zimbra Collaboration Suite (ZCS) Zimbra Web Client (ZWC) 8.8.8 before 8.8.8 Patch 7 and 8.8.9 before 8.8.9 Patch 1.

6.1CVSS5.9AI score0.02231EPSS

CVE•added 2018/05/10 1:29 a.m.•47 views

CVE-2018-10949

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors.

5.3CVSS5.5AI score0.09308EPSS

CVE•added 2019/05/30 6:29 p.m.•46 views

CVE-2018-10948

Synacor Zimbra Admin UI in Zimbra Collaboration Suite before 8.8.0 beta 2 has Persistent XSS via mail addrs.

4.8CVSS4.8AI score0.00197EPSS

CVE•added 2018/05/10 1:29 a.m.•46 views

CVE-2018-10951

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API.

6.5CVSS6.2AI score0.00391EPSS

CVE•added 2017/05/17 2:29 p.m.•45 views

CVE-2016-3403

Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Patch 8 allow remote attackers to hijack the authentication of administrators for requests that (1) add, (2) modify, or (3) remove accounts by leveraging failure to use of a CSRF tok...

8.8CVSS9.1AI score0.02642EPSS

CVE•added 2019/05/30 4:29 p.m.•45 views

CVE-2018-15131

An issue was discovered in Synacor Zimbra Collaboration Suite 8.6.x before 8.6.0 Patch 11, 8.7.x before 8.7.11 Patch 6, 8.8.x before 8.8.8 Patch 9, and 8.8.9 before 8.8.9 Patch 3. Account number enumeration is possible via inconsistent responses for specific types of authentication requests.

5.3CVSS5.4AI score0.02391EPSS

CVE•added 2024/11/21 5:15 p.m.•44 views

CVE-2024-45194

In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. Thi...

4.8CVSS5.9AI score0.00082EPSS

CVE•added 2025/05/14 8:15 p.m.•44 views

CVE-2024-45516

An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, poten...

6.1CVSS5.6AI score0.0002EPSS

CVE•added 2017/01/18 10:59 p.m.•43 views

CVE-2016-3406

Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and 104456.

8.8CVSS8.9AI score0.03144EPSS

CVE•added 2017/01/18 10:59 p.m.•42 views

CVE-2016-3402

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect confidentiality via unknown vectors, aka bug 99167.

7.5CVSS7.8AI score0.01506EPSS

CVE•added 2017/01/18 10:59 p.m.•42 views

CVE-2016-3408

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 101813.

6.1CVSS6.2AI score0.00464EPSS

CVE•added 2017/01/18 10:59 p.m.•42 views

CVE-2016-3410

6.1CVSS6.5AI score0.00441EPSS

CVE•added 2017/05/23 4:29 a.m.•41 views

CVE-2017-7288

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) before 8.7.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

6.1CVSS5.9AI score0.00483EPSS

CVE•added 2024/11/21 4:15 p.m.•41 views

CVE-2024-45514

An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing...

5.4CVSS6.2AI score0.00069EPSS

CVE•added 2018/02/04 1:29 a.m.•40 views

CVE-2017-17703

Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent XSS.

6.1CVSS6.3AI score0.00703EPSS

CVE•added 2018/05/30 9:29 p.m.•40 views

CVE-2018-10939

Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group.

6.1CVSS5.9AI score0.02859EPSS

CVE•added 2020/07/02 4:15 p.m.•40 views

CVE-2020-13653

An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11. It allows an attacker to inject executable JavaScript into the account name of a user's profile. The injected code can be reflected and executed when changing an e-mail signature.

6.1CVSS5.9AI score0.01191EPSS

CVE•added 2017/01/18 10:59 p.m.•39 views

CVE-2016-3409

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 102637.

6.1CVSS6.2AI score0.00441EPSS

CVE•added 2017/01/18 10:59 p.m.•39 views

CVE-2016-3414

Unspecified vulnerability in Zimbra Collaboration before 8.6.0 Patch 7 allows remote authenticated users to affect availability via unknown vectors, aka bug 102029.

6.5CVSS6.1AI score0.01638EPSS

Total number of security vulnerabilities66