Collaboration@* Security Vulnerabilities and Issues — Collaboration@* CVE List

Lucene search

ZimbraCollaboration*

22 matches found

CVE•added 2022/02/09 4:15 a.m.•1040 views

CVE-2022-24682

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing ...

6.1CVSS6.3AI score0.77845EPSS

CVE•added 2024/10/02 10:15 p.m.•339 views

CVE-2024-45519

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

10CVSS7.4AI score0.9415EPSS

CVE•added 2021/07/02 7:15 p.m.•196 views

CVE-2021-35208

An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected in...

5.4CVSS6.2AI score0.01394EPSS

CVE•added 2021/07/02 7:15 p.m.•147 views

CVE-2021-35209

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against th...

9.8CVSS7.6AI score0.02663EPSS

CVE•added 2024/08/12 3:15 p.m.•137 views

CVE-2024-27443

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this...

6.1CVSS5.1AI score0.28366EPSS

CVE•added 2025/03/12 3:15 p.m.•93 views

CVE-2025-27915

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its em...

5.4CVSS5.2AI score0.00063EPSS

CVE•added 2021/07/02 7:15 p.m.•90 views

CVE-2021-34807

An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL...

6.1CVSS6AI score0.00864EPSS

CVE•added 2021/07/02 7:15 p.m.•90 views

CVE-2021-35207

An issue was discovered in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.0 before 9.0.0 Patch 16. An XSS vulnerability exists in the login component of Zimbra Web Client, in which an attacker can execute arbitrary JavaScript by adding executable JavaScript to the loginErrorCode parame...

6.1CVSS6.1AI score0.00993EPSS

CVE•added 2024/02/13 4:15 p.m.•83 views

CVE-2023-45207

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. An attacker can send a PDF document through mail that contains malicious JavaScript. While previewing this file in webmail in the Chrome browser, the stored XSS payload is executed. (This has been mitigated by sanitising t...

6.1CVSS5.8AI score0.00455EPSS

CVE•added 2023/12/07 5:15 a.m.•76 views

CVE-2023-41106

An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.3. An attacker can gain access to a Zimbra account. This is also fixed in 9.0.0 Patch 35 and 8.8.15 Patch 42.

7.5CVSS7.5AI score0.00379EPSS

CVE•added 2024/02/13 4:15 p.m.•74 views

CVE-2023-48432

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. XSS, with resultant session stealing, can occur via JavaScript code in a link (for a webmail redirection endpoint) within en email message, e.g., if a victim clicks on that link within Zimbra webmail.

6.1CVSS6.9AI score0.00569EPSS

CVE•added 2024/02/13 4:15 p.m.•70 views

CVE-2023-45206

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. Through the help document endpoint in webmail, an attacker can inject JavaScript or HTML code that leads to cross-site scripting (XSS). (Adding an adequate message to avoid malicious code will mitigate this issue.)

6.1CVSS6AI score0.00359EPSS

CVE•added 2024/02/13 6:15 p.m.•62 views

CVE-2023-50808

Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Modern UI.

9.1CVSS7AI score0.00539EPSS

CVE•added 2020/12/17 4:15 a.m.•60 views

CVE-2020-35123

In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17.

6.5CVSS6.2AI score0.00919EPSS

CVE•added 2024/08/12 3:15 p.m.•60 views

CVE-2024-33535

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without aut...

7.5CVSS6.5AI score0.00358EPSS

CVE•added 2024/10/22 5:15 p.m.•51 views

CVE-2024-45518

An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. ...

8.8CVSS7.1AI score0.01704EPSS

CVE•added 2024/08/12 3:15 p.m.•48 views

CVE-2024-33533

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authe...

5.4CVSS5.5AI score0.00147EPSS

CVE•added 2024/08/12 3:15 p.m.•47 views

CVE-2024-33536

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading...

5.4CVSS6.8AI score0.00131EPSS

CVE•added 2024/08/12 3:15 p.m.•46 views

CVE-2024-27442

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of...

7.8CVSS7.5AI score0.00039EPSS

CVE•added 2025/03/12 3:15 p.m.•43 views

CVE-2025-27914

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. Exploitation requires a valid auth tok...

5.4CVSS5.2AI score0.00051EPSS

CVE•added 2023/12/07 6:15 a.m.•42 views

CVE-2023-43103

An XSS issue was discovered in a web endpoint in Zimbra Collaboration (ZCS) before 10.0.4 via an unsanitized parameter. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36.

6.1CVSS5.9AI score0.00431EPSS

CVE•added 2023/12/07 6:15 a.m.•36 views

CVE-2023-43102

An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.4. An XSS issue can be exploited to access the mailbox of an authenticated user. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36.

6.1CVSS5.8AI score0.00495EPSS