Lucene search
+L
ZimbraCollaboration

41 matches found

CVE
CVE
added 2022/08/16 8:0 p.m.266 views

CVE-2022-37393

CVE-2022-37393: Zimbra’s sudo configuration allows the zimbra user to run the zmslapd binary as root with arbitrary parameters. zmslapd can load a user-defined configuration file that may include plugins (.so) executed as root, enabling local privilege escalation. The available connected document...

7.8CVSS8.7AI score0.01683EPSS
In wildWeb
CVE
CVE
added 2021/07/02 6:54 p.m.214 views

CVE-2021-35208

CVE-2021-35208 affects Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23 (and 9.x before 9.0.0 Patch 16). The vulnerable component is ZmMailMsgView.js in the Calendar Invite feature, where HTML containing executable JavaScript placed in element attributes can be injected and rendered as arb...

5.4CVSS6.2AI score0.01261EPSS
CVE
CVE
added 2024/08/12 12:0 a.m.199 views

CVE-2024-27443

CVE-2024-27443 affects Zimbra Collaboration (ZCS) 9.0 and 10.0, with a cross-site scripting flaw in the CalendarInvite feature caused by improper input validation of the calendar header. An attacker can embed a payload in a crafted calendar header sent via email; when a recipient views the messag...

6.1CVSS5.1AI score0.19543EPSS
In wild
CVE
CVE
added 2021/07/02 6:54 p.m.164 views

CVE-2021-35209

The CVE-2021-35209 issue affects Zimbra Collaboration Suite via the ProxyServlet /proxy implementation. The X-Host header can override the Host header in proxied requests, and the value is not validated against zimbraProxyAllowedDomains, enabling an SSRF-like possibility and open redirect behavio...

9.8CVSS7.6AI score0.0297EPSS
CVE
CVE
added 2023/06/15 12:0 a.m.133 views

CVE-2023-24030

CVE-2023-24030 describes an open redirect in Zimbra Collaboration Suite’s /preauth servlet up to versions 9.0 and 8.8.15. An attacker must possess a valid zimbra auth or preauth token to trigger a redirect, potentially sending the user to an attacker‑controlled URL if URL sanitisation is bypassed...

6.1CVSS6AI score0.00393EPSS
CVE
CVE
added 2021/07/02 6:54 p.m.115 views

CVE-2021-34807

CVE-2021-34807 affects Zimbra Collaboration Suite. A open redirect vulnerability exists in the /preauth Servlet through version 9.0. Exploitation requires a valid zimbra auth token or valid preauth token; with token data, an attacker could redirect a user to any URL using isredirect=1&redirectURL...

6.1CVSS6AI score0.00971EPSS
CVE
CVE
added 2023/07/06 12:0 a.m.106 views

CVE-2023-29382

CVE-2023-29382 affects Zimbra Collaboration ZCS versions 8.8.15 and 9.0, where the vulnerable component is the JSP page sfdc_preauth.jsp . The issue enables an attacker to execute arbitrary code, as described in the CVE entry. The published metric indicates a CRITICAL impact (CVSS v3.1: 9.8, NETW...

9.8CVSS9.6AI score0.01014EPSS
CVE
CVE
added 2021/07/02 6:55 p.m.105 views

CVE-2021-35207

CVE-2021-35207 reports an XSS in the Zimbra Web Client login component. A attacker could inject executable JavaScript via the loginErrorCode parameter in the login URL to trigger client-side script execution. Affected software includes Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23 and 9...

6.1CVSS6.1AI score0.0327EPSS
CVE
CVE
added 2024/02/13 12:0 a.m.103 views

CVE-2023-45207

CVE-2023-45207 concerns Zimbra Collaboration Suite (ZCS) versions 8.8.15, 9.0, and 10.0. An attacker could send a PDF with embedded JavaScript via email; when the PDF is previewed in webmail (Chrome), a stored XSS payload may execute. Documents consistently state that this has been mitigated by s...

6.1CVSS5.8AI score0.00474EPSS
CVE
CVE
added 2023/07/06 12:0 a.m.102 views

CVE-2023-34193

CVE-2023-34193 affects Zimbra ZCS 8.8.15 where an authenticated privileged user can upload via the ClientUploader function, enabling arbitrary code execution and access to sensitive data. Root cause is a file-upload pathway vulnerability in Zimbra ZCS; impact includes high confidentiality, integr...

8.8CVSS8.6AI score0.01169EPSS
CVE
CVE
added 2024/02/13 12:0 a.m.96 views

CVE-2023-26562

In Zimbra Collaboration (ZCS) versions 8.8.15–9.0, a closed account (with 2FA and a generated password) can send email when Imap/smtp is configured. Red Hat and other connected sources describe a root cause related to insufficient account-status checks for 2FA accounts, enabling mail sending desp...

6.5CVSS6.8AI score0.00585EPSS
CVE
CVE
added 2023/12/07 12:0 a.m.92 views

CVE-2023-41106

CVE-2023-41106 affects Zimbra Collaboration (ZCS) prior to 10.0.3. An unauthenticated attacker could gain access to a Zimbra account. The issue is fixed in 10.0.3 and also in 9.0.0 Patch 35 and 8.8.15 Patch 42. Remediation is to upgrade to a fixed release (10.0.3+ or corresponding patched lines)....

7.5CVSS7.5AI score0.00865EPSS
CVE
CVE
added 2024/02/13 12:0 a.m.92 views

CVE-2023-48432

CVE-2023-48432 affects Zimbra Collaboration Server (ZCS) 8.8.15, 9.0, and 10.0. The issue is an XSS in a link used by the webmail redirection endpoint inside an email message, enabling potential session stealing when a victim clicks the link in Zimbra WebMail. Exploitation context is user interac...

6.1CVSS6.9AI score0.00465EPSS
CVE
CVE
added 2022/09/26 1:29 a.m.90 views

CVE-2022-41347

CVE-2022-41347 affects Zimbra Collaboration Suite (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The issue arises from a sudo configuration that allows the zimbra user to execute the NGINX binary as root with arbitrary parameters. Since NGINX can load a user-defined configuration file that loads plugins as ...

7.8CVSS7.7AI score0.00401EPSS
CVE
CVE
added 2022/10/12 12:0 a.m.90 views

CVE-2022-41348

CVE-2022-41348 affects Zimbra Collaboration (ZCS) 9.0. An XSS vulnerability exists via the onerror attribute of an IMG element, potentially leading to information disclosure. Multiple connected sources corroborate this description. The vulnerability is tied to ZCS 9.0 and is described as an XSS i...

6.1CVSS5.7AI score0.00401EPSS
CVE
CVE
added 2024/02/13 12:0 a.m.89 views

CVE-2023-45206

Consolidated details for CVE-2023-45206 show a Zimbra Collaboration (ZCS) XSS vulnerability affecting versions 8.8.15, 9.0, and 10.0. The attack vector is via the help document endpoint in webmail, where an attacker can inject JavaScript/HTML, enabling cross-site scripting. The confirmed root cau...

6.1CVSS6AI score0.0041EPSS
CVE
CVE
added 2023/06/15 12:0 a.m.87 views

CVE-2023-24032

Summary of findings (CVE-2023-24032) : The vulnerability affects Zimbra Collaboration Suite versions 8.8.15 through 9.0. An attacker who already has initial user access to a Zimbra server can escalate to root by passing a crafted JVM argument, enabling local privilege escalation via the mailbox m...

7.8CVSS7.9AI score0.00958EPSS
CVE
CVE
added 2022/08/11 7:40 p.m.85 views

CVE-2022-37043

CVE-2022-37043 affects Zimbra Collaboration Suite webmail (ZCS) 8.8.15 and 9.0.0. The issue is a preauth CSRF flaw where CSRF tokens are not checked on certain POST endpoints, allowing an authenticated user viewing an attacker‑controlled page to cause the application to process requests that appe...

5.7CVSS6.3AI score0.00284EPSS
CVE
CVE
added 2024/08/12 12:0 a.m.83 views

CVE-2024-33535

CVE-2024-33535 affects Zimbra Collaboration (ZCS) 9.0 and 10.0 via unauthenticated local file inclusion (LFI) in a web application, specifically in how the packages parameter is handled. The flaw allows an attacker to include arbitrary local files without authentication within a restricted direct...

7.5CVSS6.5AI score0.00553EPSS
CVE
CVE
added 2022/07/11 12:0 a.m.82 views

CVE-2022-32294

The connected sources confirm a vulnerability in Zimbra Collaboration Open Source 8.8.15 where the initial-login randomly created password (generated by the zmprove ca command) is not encrypted and is visible in cleartext on UDP port 514 (syslog). Root cause described as lack of encryption for th...

9.8CVSS9.4AI score0.0244EPSS
CVE
CVE
added 2022/10/12 12:0 a.m.80 views

CVE-2022-41349

CVE-2022-41349 affects Zimbra Collaboration Suite (ZCS) 8.8.15. The vulnerability is a Reflected XSS in the /h/compose endpoint, where the attachUrl parameter is not properly sanitized, allowing execution of arbitrary JavaScript in a victim’s browser. Affected product/version: ZCS 8.8.15. Underly...

6.1CVSS6.2AI score0.0036EPSS
Web
CVE
CVE
added 2022/10/12 12:0 a.m.78 views

CVE-2022-41351

CVE-2022-41351 affects Zimbra Collaboration Suite (ZCS) 8.8.15. The vulnerability is a cross-site scripting (XSS) flaw at the /h/calendar endpoint, triggered by inserting JavaScript into the view parameter and setting the uncheck parameter to a non-numeric string. The underlying issue is describe...

6.1CVSS6AI score0.0041EPSS
Web
CVE
CVE
added 2020/12/17 3:52 a.m.76 views

CVE-2020-35123

The CVE-2020-35123 issue affects Zimbra Collaboration Suite Network Edition, specifically versions

6.5CVSS6.2AI score0.01481EPSS
CVE
CVE
added 2024/02/13 12:0 a.m.76 views

CVE-2023-50808

CVE-2023-50808 affects Zimbra Collaboration prior to Kepler 9.0.0 Patch 38 GA, where the Modern UI is vulnerable to DOM-based JavaScript injection. The root cause is DOM manipulation in the Modern UI that enables injected script execution, as described across multiple sources. Impact statements i...

9.1CVSS7AI score0.00436EPSS
CVE
CVE
added 2022/12/05 12:0 a.m.75 views

CVE-2022-45912

CVE-2022-45912 affects Zimbra Collaboration (ZCS) 8.8.15 and 9.0, where an authenticated administrator can abuse the ClientUploader utility to upload files and traverse directories, enabling remote code execution. The vulnerability originates from how ClientUploader handles uploads, permitting tr...

7.2CVSS7.5AI score0.0114EPSS
CVE
CVE
added 2024/08/12 12:0 a.m.75 views

CVE-2024-33533

Vulnerability summary (CVE-2024-33533) : In Zimbra Collaboration (ZCS) 9.0 and 10.0, the webmail admin interface is vulnerable to a reflected XSS due to inadequate input validation of the packages parameter. An authenticated attacker can upload a malicious JavaScript file and craft a URL with its...

5.4CVSS5.5AI score0.00264EPSS
CVE
CVE
added 2024/10/22 12:0 a.m.74 views

CVE-2024-45518

Vulnerability: CVE-2024-45518 affects Zimbra Collaboration (ZCS) versions including 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. The issue is Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisti...

8.8CVSS7.1AI score0.20301EPSS
CVE
CVE
added 2023/01/06 12:0 a.m.72 views

CVE-2022-45913

Zimbra Collaboration (ZCS) 9.0 is affected by a Cross‑Site Scripting (XSS) issue in attributes of webmail URLs that can lead to information disclosure. The vulnerability is associated with ZCS 9.0 and is addressed by updates in Zimbra 9.0.0 patch 28 (and in 8.8.15 patch 35 for older branches). No...

6.1CVSS6.1AI score0.0041EPSS
CVE
CVE
added 2023/06/15 12:0 a.m.72 views

CVE-2023-24031

Zimbra Collaboration (ZCS) versions 8.8.15 through 9.0 are affected by an XSS vulnerability in the webmail /h/ endpoint. The root cause is inadequate protection of the web page structure, allowing an attacker to inject JavaScript and cause information disclosure. A practical workaround is to disa...

6.1CVSS6.1AI score0.00401EPSS
CVE
CVE
added 2022/10/12 12:0 a.m.70 views

CVE-2022-41350

CVE-2022-41350 affects Zimbra Collaboration Suite (ZCS) 8.8.15. The vulnerability is a Reflected XSS in the /h/search?action=voicemail&action=listen endpoint where the phone parameter is not properly sanitized, allowing execution of arbitrary JavaScript on the victim’s machine. Public documents c...

6.1CVSS6.2AI score0.0041EPSS
Web
CVE
CVE
added 2022/08/11 7:6 p.m.69 views

CVE-2022-37041

CVE-2022-37041 affects Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The issue is in ProxyServlet.java under the /proxy servlet where the X-Forwarded-Host header overwrites the Host header in proxied requests and is not checked against ZCS’s allowed proxy domains (zimbraProxyAllowedDomains). T...

7.5CVSS7.9AI score0.00561EPSS
CVE
CVE
added 2023/12/07 12:0 a.m.64 views

CVE-2023-43103

Summary of CVE-2023-43103 (Zimbra Collaboration) Affects Zimbra Collaboration (ZCS) web endpoint. The vulnerability is a cross-site scripting (XSS) flaw caused by an unsanitized parameter in the web interface. Reported as present in ZCS versions prior to 10.0.4, with fixes applied in versions 8.8...

6.1CVSS5.9AI score0.00431EPSS
CVE
CVE
added 2024/08/12 12:0 a.m.64 views

CVE-2024-33536

CVE-2024-33536 (Zimbra) affects Zimbra Collaboration Suite (ZCS) 9.0 and 10.0. The issue stems from inadequate input validation of the res parameter, enabling an authenticated attacker to inject and execute arbitrary JavaScript in another user’s browser session. Exploitation involves uploading a ...

5.4CVSS6.8AI score0.00246EPSS
CVE
CVE
added 2025/03/12 12:0 a.m.63 views

CVE-2025-27914

CVE-2025-27914 affects Zimbra Collaboration (ZCS) 9.0, 10.0, and 10.1. It is a Reflected Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint that allows an authenticated attacker with a valid auth token to craft a URL which, when visited by a victim, can inject and execute arbitrary ...

5.4CVSS5.2AI score0.00262EPSS
CVE
CVE
added 2022/08/11 7:44 p.m.62 views

CVE-2022-37044

Affected software: Zimbra Collaboration Suite (ZCS) 8.8.15. Vulnerability: Reflected XSS in the /h/search?action endpoint, where parameters extra, title, and onload are partially sanitized. This can allow execution of arbitrary JavaScript in the victim’s browser. Impact: Client-side script execut...

6.1CVSS6AI score0.0043EPSS
Web
CVE
CVE
added 2023/07/06 12:0 a.m.61 views

CVE-2023-29381

The CVE-2023-29381 entry concerns Zimbra Collaboration (ZCS) versions 8.8.15 and 9.0, where a remote attacker can escalate privileges and disclose sensitive information via the password and 2FA parameters. Multiple connected sources (Red Hat, PT-Security, and related CVE aggregates) confirm the a...

9.8CVSS9.3AI score0.01024EPSS
CVE
CVE
added 2024/08/12 12:0 a.m.58 views

CVE-2024-27442

Zimbra Collaboration (ZCS) 9.0 and 10.0 are affected by CVE-2024-27442. The zmmailboxdmgr binary, intended to run as the zimbra user with root privileges for specific mailbox operations, can be abused to escalate privileges from zimbra to root due to improper handling of input arguments, enabling...

7.8CVSS7.5AI score0.00349EPSS
CVE
CVE
added 2023/12/07 12:0 a.m.56 views

CVE-2023-43102

CVE-2023-43102 affects Zimbra Collaboration (ZCS) before 10.0.4. An XSS flaw could be exploited to access the mailbox of an authenticated user. This is fixed in ZCS 8.8.15 Patch 43 and 9.0.0 Patch 36 ; remediation is to upgrade to 10.0.4+ or apply the corresponding patches.

6.1CVSS5.8AI score0.00431EPSS
CVE
CVE
added 2023/01/06 12:0 a.m.55 views

CVE-2022-45911

CVE-2022-45911 affects Zimbra Collaboration (ZCS) 9.0. An XSS flaw in the Classic UI login page can be triggered by injecting arbitrary JavaScript into the username field before authentication. Exploitation details are not provided in the sources, and there is no indication of sensitive data bein...

6.1CVSS6AI score0.0041EPSS
CVE
CVE
added 2025/07/30 12:0 a.m.28 views

CVE-2024-45515

CVE-2024-45515 affects Zimbra Collaboration (ZCS) up to 10.1.x, with an XSS vulnerability in Zimbra webmail caused by insufficient validation of the content-type metadata when importing files into the briefcase. The underlying issue is improper validation of metadata during file import, allowing ...

6.1CVSS6.1AI score0.00288EPSS
CVE
CVE
added 2025/12/15 12:0 a.m.19 views

CVE-2025-67809

Affected software: Zimbra Collaboration (ZCS) 10.0 and 10.1 with the Flickr Zimlet. Issue: hardcoded Flickr API key and secret embedded in the publicly accessible Zimlet allowed credential disclosure and potential impersonation during Flickr OAuth flows, enabling access to a user’s Flickr data if...

4.7CVSS6.6AI score0.00249EPSS