Zimbra Security Advisories: Difference between revisions
m (Updates for bugs: added 100885, which is a dup of 100899 (CSRF in Admin console); Fix CVSS score 6.8 => 5.8; Covers CVE-2015-6542 as well as CVE-2016-3403) |
(bug 108265 CVSSv2 scoring should be 4.3) |
||
(20 intermediate revisions by 2 users not shown) | |||
Line 22: | Line 22: | ||
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix Release or <br />Patch Version</span></th> | <th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix Release or <br />Patch Version</span></th> | ||
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th> | <th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th> | ||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td> | |||
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | |||
<td>CVE-2018-6882</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td> | |||
<td>Minor</td> | |||
<td>''8.7 Patch 1 (est.)''<br/>''8.8.7 (est.)''</td> | |||
<td>Stephan Kaag of Securify</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td> | |||
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td> | |||
<td>Minor</td> | |||
<td>8.6.0 Patch 9<br/>''8.7 Patch 1 (est)''<br/>8.8.3</td> | |||
<td>Veit Hailperin</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td> | |||
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td> | |||
<td>-</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td> | |||
<td>Minor</td> | |||
<td>8.8.0 Beta2</td> | |||
<td>-</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /> | |||
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949] | |||
</td> | |||
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | |||
<td>-</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td> | |||
<td>Minor</td> | |||
<td>8.8.0 Beta2</td> | |||
<td>Lucideus & Zimbra</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td> | |||
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td> | |||
<td>Minor</td> | |||
<td>8.6.0 Patch9<br/>''8.7 Patch 1 (est)''<br/>8.8.0 Beta2</td> | |||
<td>Compass Security</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td> | |||
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td> | |||
<td>Minor</td> | |||
<td>8.7.10</td> | |||
<td>Stephan Kaag of Securify</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td> | |||
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td> | |||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td> | |||
<td>Minor</td> | |||
<td>8.7.6</td> | |||
<td>Greg Solovyev, Phil Pearl</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td> | |||
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td> | |||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td> | |||
<td>Major</td> | |||
<td>8.7.6</td> | |||
<td>Greg Solovyev</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td> | |||
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td> | |||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td> | |||
<td>Minor</td> | |||
<td>8.7.4</td> | |||
<td>Alastair Gray</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td> | |||
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | |||
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td> | |||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td> | |||
<td>Minor</td> | |||
<td>8.7.1</td> | |||
<td>Sammy Forgit</td> | |||
</tr> | </tr> | ||
Line 63: | Line 165: | ||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td> | <td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td> | ||
<td>Minor</td> | <td>Minor</td> | ||
<td>8.7.0</td> | <td>8.6.0 Patch8 <br /> 8.7.0</td> | ||
<td>Zimbra</td> | <td>Zimbra</td> | ||
</tr> | </tr> | ||
Line 99: | Line 201: | ||
<tr> | <tr> | ||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td> | <td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td> | ||
<td> | <td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td> | ||
<td>CVE-2016-3405</td> | <td>CVE-2016-3405</td> | ||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td> | <td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td> | ||
<td>Minor</td> | <td>Minor</td> | ||
<td>8.7.0</td> | <td>8.6.0 Patch8 <br /> 8.7.0</td> | ||
<td>Zimbra</td> | <td>Zimbra</td> | ||
</tr> | </tr> | ||
Line 109: | Line 211: | ||
<tr> | <tr> | ||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td> | <td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td> | ||
<td> | <td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td> | ||
<td>CVE-2016-3404</td> | <td>CVE-2016-3404</td> | ||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td> | <td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td> | ||
<td>Minor</td> | <td>Minor</td> | ||
<td>8.7.0</td> | <td>8.6.0 Patch8 <br /> 8.7.0</td> | ||
<td>Zimbra</td> | <td>Zimbra</td> | ||
</tr> | </tr> | ||
Line 169: | Line 271: | ||
<tr> | <tr> | ||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td> | <td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td> | ||
<td> | <td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td> | ||
<td>CVE-2016-3414</td> | <td>CVE-2016-3414</td> | ||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td> | <td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td> | ||
Line 190: | Line 292: | ||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td> | <td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td> | ||
<td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td> | <td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td> | ||
<td>CVE- | <td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td> | ||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td> | <td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td> | ||
<td>Major</td> | <td>Major</td> | ||
<td>8.7.0</td> | <td>8.6.0 Patch8 <br /> 8.7.0</td> | ||
<td>Sysdream</td> | <td>Sysdream</td> | ||
</tr> | </tr> | ||
Line 338: | Line 440: | ||
<tr> | <tr> | ||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td> | <td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td> | ||
<td>[https://cwe.mitre.org/data/definitions/611.html CWE-611]</td> | <td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td> | ||
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td> | <td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td> | ||
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td> | <td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td> |
Revision as of 22:33, 12 February 2018
Zimbra Security Advisories
Overview
The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:
- Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html
- Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html
Zimbra Collaboration - Security Vulnerability Advisories
(going back to ZCS 7.1.3)
Bug# | Summary | CVE-ID | CVSS Score |
Zimbra Rating |
Fix Release or Patch Version |
Reporter |
---|---|---|---|---|---|---|
108786 | Persistent XSS CWE-79 | CVE-2018-6882 | 4.3 | Minor | 8.7 Patch 1 (est.) 8.8.7 (est.) |
Stephan Kaag of Securify |
108265 | Persistent XSS CWE-79 | CVE-2017-17703 | 4.3 | Minor | 8.6.0 Patch 9 8.7 Patch 1 (est) 8.8.3 |
Veit Hailperin |
107963 | Host header injection CWE-20 | - | 4.3 | Minor | 8.8.0 Beta2 | - |
107948 |
Persistent XSS CWE-79 | - | 3.5 | Minor | 8.8.0 Beta2 | Lucideus & Zimbra |
107925 | Persistent XSS - snippet CWE-79 | CVE-2017-8802 | 3.5 | Minor | 8.6.0 Patch9 8.7 Patch 1 (est) 8.8.0 Beta2 |
Compass Security |
107878 | Persistent XSS - location CWE-79 | CVE-2017-8783 | 4.0 | Minor | 8.7.10 | Stephan Kaag of Securify |
107712 | Improper limitation of file paths CWE-22 | CVE-2017-6821 | 4.0 | Minor | 8.7.6 | Greg Solovyev, Phil Pearl |
107684 | Improper handling of privileges CWE-280 | CVE-2017-6813 | 4.0 | Major | 8.7.6 | Greg Solovyev |
106811 | Limited XXE CWE-611 | CVE-2016-9924 | 4.3 | Minor | 8.7.4 | Alastair Gray |
106612 | Persistent XSS CWE-79 | CVE-2017-7288 | 4.3 | Minor | 8.7.1 | Sammy Forgit |
105001 105174 |
XSS CWE-79 | CVE-2016-5721 | 4.3 2.1 |
Minor | 8.7.0 | Secu |
104552 104703 |
XSS CWE-79 | CVE-2016-3999 | 4.3 | Minor | 8.7.0 | Nam Habach |
104477 | - | CVE-2016-4019 | 4.3 | Minor | 8.7.0 | Zimbra |
104294 104456 |
CSRF CWE-352 | CVE-2016-3406 | 2.6 | Minor | 8.6.0 Patch8 8.7.0 |
Zimbra |
104222 104910 105071 105175 |
XSS CWE-79 | CVE-2016-3407 | 4.3 3.5 4.3 2.1 |
Minor | 8.7.0 | Zimbra |
103997 104413 104414 104777 104791 |
XSS CWE-79 | CVE-2016-3412 | 3.5 | Minor | 8.7.0 | Zimbra |
103996 | - | CVE-2016-3413 | 2.6 | Minor | 8.7.0 | Zimbra |
103961 104828 |
CSRF CWE-352 | CVE-2016-3405 | 4.3 | Minor | 8.6.0 Patch8 8.7.0 |
Zimbra |
103959 | CSRF CWE-352 | CVE-2016-3404 | 4.3 | Minor | 8.6.0 Patch8 8.7.0 |
Zimbra |
103956 103995 104475 104838 104839 |
XSS CWE-79 | CVE-2016-3410 | 4.3 | Minor | 8.7.0 | Zimbra |
103609 | XSS CWE-79 | CVE-2016-3411 | 3.5 | Minor | 8.7.0 | Zimbra |
102637 | XSS CWE-79 | CVE-2016-3409 | 4.3 | Minor | 8.7.0 | Peter Nguyen |
102276 | CWE-502 | CVE-2016-3415 | 5.8 | Major | 8.7.0 | Zimbra |
102227 | CWE-502 | n/a | 7.5 | Major | 8.7.0 | Upstream, see CVE-2015-4852 |
102029 | CWE-674 | CVE-2016-3414 | 4.0 | Minor | 8.6.0 Patch7 8.7.0 |
Zimbra |
101813 | XSS CWE-79 | CVE-2016-3408 | 4.3 | Minor | 8.7.0 | Volexity |
100885 100899 |
CSRF CWE-352 | CVE-2016-3403 | 5.8 | Major | 8.6.0 Patch8 8.7.0 |
Sysdream |
99810 | - | CVE-2016-3401 | 3.5 | Minor | 8.7.0 | Zimbra |
99167 | - | CVE-2016-3402 | 2.6 | Minor | 8.7.0 | Zimbra |
101435 101436 |
Persistent XSS CWE-79 | CVE-2015-7609 | 6.4 2.3 |
Major | 8.6.0 Patch5 8.7.0 |
Fortinet's FortiGuard Labs |
101559 100133 99854 99914 96973 |
XSS CWE-79 | CVE-2015-2249 | 3.5 | Minor | 8.6.0 Patch5 8.7.0 |
Zimbra |
99236 | XSS Vuln in YUI components in ZCS | n/a | 4.3 | Minor | 8.6.0 Patch5 | Upstream, see CVE-2012-5881 CVE-2012-5882 CVE-2012-5883 |
98358 98216 98215 |
Non-Persistent XSS CWE-79 | CVE-2015-2249 | 4.3 | Minor | 8.6.0 Patch2 8.7.0 |
Cure53 |
97625 | Non-Persistent XSS CWE-79 | CVE-2015-2230 | 3.5 | Minor | 8.6.0 Patch2 | MWR InfoSecurity |
96105 | Improper Input Validation CWE-20 | CVE-2014-8563 | 5.8 | Major | 8.0.9 8.5.1 8.6.0 |
- |
83547 | CSRF Vulnerability CWE-352 | CVE-2015-6541 | 5.8 | Major | 8.5.0 | iSEC Partners, Sysdream |
87412 92825 92833 92835 |
XSS Vulnerabilities CWE-79 (8.0.7 Patch contains 87412) |
CVE-2014-5500 | 4.3 | Minor | 8.0.8 8.5.0 |
- |
83550 | Session Fixation CWE-384 | CVE-2013-5119 | 5.8 | Major | 8.5.0 | - |
91484 | Patch ZCS8 OpenSSL for CVE-2014-0224 | n/a | 6.8 | Major |
8.0.3+Patch 8.0.4+Patch 8.0.5+Patch 8.0.6+Patch 8.0.7+Patch |
Upstream, see CVE-2014-0224 |
88708 | Patch ZCS8 OpenSSL for CVE-2014-0160 | n/a | 5.0 | Major |
8.0.3+Patch 8.0.4+Patch 8.0.5+Patch 8.0.6+Patch 8.0.7+Patch 8.0.7 |
Upstream, see CVE-2014-0160 |
85499 | Upgrade to OpenSSL 1.0.1f | n/a | 4.3 4.3 5.8 |
Major | 8.0.7 | Upstream, see CVE-2013-4353 CVE-2013-6449 CVE-2013-6450 |
84547 | XXE CWE-611 | CVE-2013-7217 | 6.4 (not 10.0) |
Critical | 7.2.2_Patch3 7.2.3_Patch 7.2.4_Patch2 7.2.5_Patch 7.2.6 8.0.3_Patch3 8.0.4_Patch2 8.0.5_Patch 8.0.6 |
Private |
85478 | XSS vulnerability in message view | - | 6.4 | Major | 8.0.7 | Alban Diquet of iSEC Partners |
85411 | Local root privilege escalation | - | 6.2 | Major | 8.0.7 | Matthew David |
85000 | Patch nginx for CVE-2013-4547 | n/a | 7.5 | Major | 7.2.7 8.0.7 |
Upstream, see CVE-2013-4547 |
Upgrade to JDK 1.6 u41 Upgrade OpenSSL to 1.0.0k Upgrade to JDK 1.7u15+ Upgrade to OpenSSL 1.0.1d |
n/a | 2.6 | Minor | 7.2.3 7.2.3 8.0.3 8.0.3 |
Upstream, see CVE-2013-0169 |
|
80338 | Local file inclusion via skin/branding feature CWE-22 | CVE-2013-7091 | 5.0 | Critical | 6.0.16_Patch 7.1.1_Patch6 7.1.3_Patch3 7.2.2_Patch2 7.2.3 8.0.2_Patch 8.0.3 |
Private |
77655 | Separate keystore for CAs used for X509 authentication | - | 5.8 | Major | 8.0.7 | Private |
75424 | Upgrade to Clamav 0.97.5 | n/a | 4.3 4.3 4.3 |
Minor | 7.2.1 | Upstream, see CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 |
64981 | Do not allow HTTP GET for login | - | 6.8 | Major | 7.1.3_Patch 7.1.4 |
Private |
Try Zimbra
Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »
Want to get involved?
You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »
Other Help Resources
Visit the User Help Page »
Visit the Official Forums »
Zimbra Documentation Page »
Looking for a Video?
Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »