Zimbra Security Advisories: Difference between revisions

No edit summary
(bug 108902 fixed in 8.7.11p4 and 8.8.8p4)
(42 intermediate revisions by 3 users not shown)
Line 7: Line 7:
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p>
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p>
<ul>
<ul>
<li>Zimbra Collaboration - Network Edition: http://www.zimbra.com/downloads/ne-downloads.html#latest_8_release</li>
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li>
<li>Zimbra Collaboration - Open-Source Edition: http://www.zimbra.com/downloads/os-downloads.html</li>
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li>
</ul>
</ul>
===Zimbra Collaboration - Security Vulnerability Advisories===
===Zimbra Collaboration - Security Vulnerability Advisories===
<p><span style="font-size: medium;"><em>(beginning with ZCS 7.1.3)</em></span></p>
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p>
<div class="col-md-9">
<div class="col-md-12">
     <table class="table table-striped table-condensed">
     <table class="table table-striped table-condensed">
<tr>
<tr>
<td style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Bug Number</strong></span></td>
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th>
<td style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Summary</strong></span></td>
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th>
<td style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE ID</strong></span></td>
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th>
<td style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS Score</strong></span></td>
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th>
<td style="text-align: center; background-color: #f15922;"><strong> [[Zimbra_Vulnerability_Rating_Classification|Zimbra Rating Classification]]<span style="color: #ffffff;"></span> </strong></td>
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th>
<td style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Fix Release or Patch Version</strong></span></td>
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th>
<td style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Reporter</strong></span></td>
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th>
</tr>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>8.7.11 Patch4<br /> 8.8.8 Patch4</td>
<td>Diego Di Nardo</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td>
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>Minor</td>
<td>8.7.11 Patch3<br /> 8.8.8</td>
<td>Netragard</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
<td>Major</td>
<td>8.7.11 Patch3 <br /> 8.8.8</td>
<td>Netragard</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td>
<td>Minor</td>
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3<br /> 8.8.8</td>
<td>Netragard</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td>
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td>
<td>Fortinet's FortiGuard Labs</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.6.0 Patch10 <br />8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td>
<td>Stephan Kaag of Securify</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td>
<td>Veit Hailperin</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td>
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td>
<td>-</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.8.0 Beta2</td>
<td>-</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]
</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2018-10948</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br />8.8.0 Beta2</td>
<td>Lucideus <br /> Phil Pearl</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td>
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td>
<td>Compass Security</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td>
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td>
<td>Minor</td>
<td>8.7.10</td>
<td>Stephan Kaag of Securify</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td>
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td>
<td>Minor</td>
<td>8.7.6</td>
<td>Greg Solovyev, Phil Pearl</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td>
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td>
<td>Major</td>
<td>8.7.6</td>
<td>Greg Solovyev</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td>
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td>
<td>Minor</td>
<td>8.6.0 Patch10 <br /> 8.7.4</td>
<td>Alastair Gray</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.7.1</td>
<td>Sammy Forgit</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-5721</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Secu</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3999</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Nam Habach</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td>
<td><!-- [http://cwe.mitre.org/data/definitions/601.html CWE-601] -->-</td>
<td>CVE-2016-4019</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td>
<td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2016-3406</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
<td>Minor</td>
<td>8.6.0 Patch8 <br /> 8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3407</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3412</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td>
<td><!-- [http://cwe.mitre.org/data/definitions/611.html CWE-611] -->-</td>
<td>CVE-2016-3413</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td>
<td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2016-3405</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.6.0 Patch8 <br /> 8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td>
<td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2016-3404</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.6.0 Patch8 <br /> 8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3410</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3411</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3409</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Peter Nguyen</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td>
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
<td>CVE-2016-3415</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td>
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
<td>n/a</td>
<td>7.5</td>
<td>Major</td>
<td>8.7.0</td>
<td>Upstream, see <br /> CVE-2015-4852</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td>
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td>
<td>CVE-2016-3414</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td>
<td>Minor</td>
<td>8.6.0 Patch7 <br /> 8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3408</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Volexity</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td>
<td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>8.6.0 Patch8 <br /> 8.7.0</td>
<td>Sysdream</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td>
<td><!-- [http://cwe.mitre.org/data/definitions/284.html CWE-284]  [http://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td>
<td>CVE-2016-3401</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td>
<td><!-- [http://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td>
<td>CVE-2016-3402</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td>
<td>Minor</td>
<td>8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-7609</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td>
<td>Major</td>
<td>8.6.0 Patch5 <br /> 8.7.0</td>
<td>Fortinet's FortiGuard Labs</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-2249</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>8.6.0 Patch5 <br /> 8.7.0</td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td>
<td>XSS Vuln in YUI components in ZCS</td>
<td>n/a</td>
<td>4.3</td>
<td>Minor</td>
<td>8.6.0 Patch5</td>
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-2249</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.6.0 Patch2 <br /> 8.7.0</td>
<td>Cure53</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-2230</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>Minor</td>
<td>8.6.0 Patch2</td>
<td>MWR InfoSecurity</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td>
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td>
<td>CVE-2014-8563</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>8.0.9 <br /> 8.5.1<br /> 8.6.0</td>
<td>&nbsp;-</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td>
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2015-6541</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>8.5.0</td>
<td>iSEC Partners, Sysdream</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td>
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td>
<td>CVE-2014-5500</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.0.8 <br /> 8.5.0</td>
<td>&nbsp;-</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td>
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td>
<td>[http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>8.5.0</td>
<td>-&nbsp;</td>
</tr>
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td>
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td>
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td>
<td>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td>
<td>n/a</td>
<td>6.8</td>
<td>6.8</td>
<td>Major</td>
<td>Major</td>
<td>8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch<br />] 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]<br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]<br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]<br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]<br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td>
<td style="white-space:nowrap">
<td>Upstream</td>
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td>
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td>
</tr>
</tr>
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td>
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td>
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td>
<td>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160]</td>
<td>n/a</td>
<td>5.0</td>
<td>5.0</td>
<td>Major</td>
<td>Major</td>
<td>8.0.3+[/support/security/b/weblog/archive/2014/05/19/critical-security-advisory-and-builds-patches-for-the-openssl-heartbleed-vulnerability.aspx Patch]<br /> 8.0.4+[/support/security/b/weblog/archive/2014/05/19/critical-security-advisory-and-builds-patches-for-the-openssl-heartbleed-vulnerability.aspx Patch]<br /> 8.0.5+[/support/security/b/weblog/archive/2014/05/19/critical-security-advisory-and-builds-patches-for-the-openssl-heartbleed-vulnerability.aspx Patch]<br /> 8.0.6+[/support/security/b/weblog/archive/2014/05/19/critical-security-advisory-and-builds-patches-for-the-openssl-heartbleed-vulnerability.aspx Patch]<br /> 8.0.7+[/support/security/b/weblog/archive/2014/05/19/critical-security-advisory-and-builds-patches-for-the-openssl-heartbleed-vulnerability.aspx Patch]<br /> 8.0.7</td>
<td style="white-space:nowrap">
<td>Upstream</td>
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td>
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td>
</tr>
</tr>
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td>
<td>Upgrade to OpenSSL 1.0.1f</td>
<td>Upgrade to OpenSSL 1.0.1f</td>
<td>[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353]<br /> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449]<br /> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td>
<td>n/a</td>
<td>4.3<br />4.3<br />5.8</td>
<td>4.3 <br /> 4.3 <br /> 5.8</td>
<td>Major</td>
<td>Major</td>
<td>8.0.7</td>
<td>8.0.7</td>
<td>Upstream</td>
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td>
</tr>
</tr>
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
<td>Critical Vulnerability</td>
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
<td>[http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td>
<td>10.0<br /> [http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td>
<td>Critical</td>
<td>Critical</td>
<td>7.2.2_Patch3<br /> 7.2.3_Patch<br /> 7.2.4_Patch2<br /> 7.2.5_Patch<br /> 7.2.6<br /> 8.0.3_Patch3<br /> 8.0.4_Patch2<br /> 8.0.5_Patch<br /> 8.0.6</td>
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td>
<td>Private</td>
<td>Private</td>
</tr>
</tr>
Line 63: Line 501:
<td>XSS vulnerability in message view</td>
<td>XSS vulnerability in message view</td>
<td>-</td>
<td>-</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
<td>Major</td>
<td>Major</td>
<td>8.0.7</td>
<td>8.0.7</td>
<td>
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td>
<p>Alban Diquet of iSEC&nbsp;Partners</p>
</td>
</tr>
</tr>
<tr>
<tr>
Line 74: Line 510:
<td>Local root privilege escalation</td>
<td>Local root privilege escalation</td>
<td>-</td>
<td>-</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td>
<td>Major</td>
<td>Major</td>
<td>8.0.7</td>
<td>8.0.7</td>
<td>Matthew David</td>
<td style="white-space:nowrap">Matthew David</td>
</tr>
</tr>
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td>
<td>Patch nginx for CVE-2013-4547</td>
<td>Patch nginx for CVE-2013-4547</td>
<td>[http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td>
<td>n/a</td>
<td>7.5</td>
<td>7.5</td>
<td>Major</td>
<td>Major</td>
<td>7.2.7<br /> 8.0.7</td>
<td>7.2.7 <br /> 8.0.7</td>
<td>Upstream</td>
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td>
</tr>
</tr>
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450]<br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131]<br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445]<br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]</td>
<td style="white-space:nowrap">
<td>Upgrade to JDK 1.6 u41<br /> Upgrade OpenSSL to 1.0.0k<br /> Upgrade to JDK 1.7u15+<br /> Upgrade to OpenSSL 1.0.1d</td>
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]
<td>[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td>
</td>
<td style="white-space:nowrap">
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k<br /> Upgrade to JDK 1.7u15+<br /> Upgrade to OpenSSL 1.0.1d</td>
<td>n/a</td>
<td>2.6</td>
<td>2.6</td>
<td>Minor</td>
<td>Minor</td>
<td>7.2.3<br /> 7.2.3<br /> 8.0.3<br /> 8.0.3</td>
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td>
<td>Upstream</td>
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td>
</tr>
</tr>
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
<td>Local file inclusion via skin/branding feature</td>
<td>Local file inclusion via skin/branding feature [http://cwe.mitre.org/data/definitions/22.html CWE-22]</td>
<td>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td>
<td>5.0</td>
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
<td>Critical</td>
<td>Critical</td>
<td>6.0.16_Patch<br /> 7.1.1_Patch6<br /> 7.1.3_Patch3<br /> 7.2.2_Patch2<br /> 7.2.3<br /> 8.0.2_Patch<br /> 8.0.3</td>
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td>
<td>Private</td>
<td>Private</td>
</tr>
</tr>
Line 110: Line 549:
<td>Separate keystore for CAs used for X509 authentication</td>
<td>Separate keystore for CAs used for X509 authentication</td>
<td>-</td>
<td>-</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>Major</td>
<td>8.0.7</td>
<td>8.0.7</td>
Line 118: Line 557:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td>
<td>Upgrade to Clamav 0.97.5</td>
<td>Upgrade to Clamav 0.97.5</td>
<td>[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457]<br /> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458]<br /> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td>
<td>n/a</td>
<td>4.3<br />4.3<br />4.3</td>
<td>4.3 <br /> 4.3 <br /> 4.3</td>
<td>Minor</td>
<td>Minor</td>
<td>7.2.1</td>
<td>7.2.1</td>
<td>Upstream</td>
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td>
</tr>
</tr>
<tr>
<tr>
Line 128: Line 567:
<td>Do not allow HTTP GET for login</td>
<td>Do not allow HTTP GET for login</td>
<td>-</td>
<td>-</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td>
<td>Major</td>
<td>Major</td>
<td>7.1.3_Patch<br />7.1.4</td>
<td>7.1.3_Patch <br /> 7.1.4</td>
<td>Private</td>
<td>Private</td>
</tr>
</tr>
Line 139: Line 578:
       <div class="tile zimbrared">
       <div class="tile zimbrared">
         <h4>Try Zimbra</h4>  
         <h4>Try Zimbra</h4>  
         <p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br />[https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p>
         <p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p>
       </div>       
       </div>       
<div class="tile zimbraorange">
<div class="tile zimbraorange">
         <h4>Want to get involved?</h4>  
         <h4>Want to get involved?</h4>  
         <p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br />'''Find out more. »'''</p>
         <p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p>
       </div>
       </div>
<div class="tile zimbrablue">
<div class="tile zimbrablue">
         <h4>Other Help Resources</h4>  
         <h4>Other Help Resources</h4>  
         <p><i class="fa fa-users"></i>  [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>]<br /><i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>]<br/><i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p>
         <p><i class="fa fa-users"></i>  [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p>
       </div>
       </div>
<div class="tile zimbragrey">
<div class="tile zimbragrey">
         <h4>Looking for a Video?</h4>  
         <h4>Looking for a Video?</h4>  
         <p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br />[https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p>
         <p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p>
       </div>
       </div>
</div>
</div>
</div>
</div>
<br />
<br />

Revision as of 01:00, 25 May 2018

Zimbra Security Advisories

Overview

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

Zimbra Collaboration - Security Vulnerability Advisories

(going back to ZCS 7.1.3)

Bug# Summary CVE-ID CVSS
Score
Zimbra
Rating
Fix Release or
Patch Version
Reporter
108902 Persistent XSS CWE-79 CVE-2018-10939 3.5 Minor 8.7.11 Patch4
8.8.8 Patch4
Diego Di Nardo
108963 Verbose Error Messages CWE-209 CVE-2018-10950 3.5 Minor 8.7.11 Patch3
8.8.8
Netragard
108962 Persistent XSS CWE-203 CVE-2018-10949 5.0 Major 8.7.11 Patch3
8.8.8
Netragard
108894 Persistent XSS CWE-199 CVE-2018-10951 3.6 Minor 8.6.0 Patch10
8.7.11 Patch3
8.8.8
Netragard
97579 CSRF CWE-352 CVE-2015-7610 5.8 Major 8.6.0 Patch10
8.7.11 Patch2
8.8.8 Patch1
Fortinet's FortiGuard Labs
108786 Persistent XSS CWE-79 CVE-2018-6882 4.3 Minor 8.6.0 Patch10
8.7.11 Patch1
8.8.7
8.8.8
Stephan Kaag of Securify
108265 Persistent XSS CWE-79 CVE-2017-17703 4.3 Minor 8.6.0 Patch9
8.7.11 Patch1
8.8.3
Veit Hailperin
107963 Host header injection CWE-20 - 4.3 Minor 8.8.0 Beta2 -
107948

107949

Persistent XSS CWE-79 CVE-2018-10948 3.5 Minor 8.6.0 Patch10
8.7.11 Patch3
8.8.0 Beta2
Lucideus
Phil Pearl
107925 Persistent XSS - snippet CWE-79 CVE-2017-8802 3.5 Minor 8.6.0 Patch9
8.7.11 Patch1
8.8.0 Beta2
Compass Security
107878 Persistent XSS - location CWE-79 CVE-2017-8783 4.0 Minor 8.7.10 Stephan Kaag of Securify
107712 Improper limitation of file paths CWE-22 CVE-2017-6821 4.0 Minor 8.7.6 Greg Solovyev, Phil Pearl
107684 Improper handling of privileges CWE-280 CVE-2017-6813 4.0 Major 8.7.6 Greg Solovyev
106811 Limited XXE CWE-611 CVE-2016-9924 4.3 Minor 8.6.0 Patch10
8.7.4
Alastair Gray
106612 Persistent XSS CWE-79 CVE-2017-7288 4.3 Minor 8.7.1 Sammy Forgit
105001
105174
XSS CWE-79 CVE-2016-5721 4.3
2.1
Minor 8.7.0 Secu
104552
104703
XSS CWE-79 CVE-2016-3999 4.3 Minor 8.7.0 Nam Habach
104477 - CVE-2016-4019 4.3 Minor 8.7.0 Zimbra
104294
104456
CSRF CWE-352 CVE-2016-3406 2.6 Minor 8.6.0 Patch8
8.7.0
Zimbra
104222
104910
105071
105175
XSS CWE-79 CVE-2016-3407 4.3
3.5
4.3
2.1
Minor 8.7.0 Zimbra
103997
104413
104414
104777
104791
XSS CWE-79 CVE-2016-3412 3.5 Minor 8.7.0 Zimbra
103996 - CVE-2016-3413 2.6 Minor 8.7.0 Zimbra
103961
104828
CSRF CWE-352 CVE-2016-3405 4.3 Minor 8.6.0 Patch8
8.7.0
Zimbra
103959 CSRF CWE-352 CVE-2016-3404 4.3 Minor 8.6.0 Patch8
8.7.0
Zimbra
103956
103995
104475
104838
104839
XSS CWE-79 CVE-2016-3410 4.3 Minor 8.7.0 Zimbra
103609 XSS CWE-79 CVE-2016-3411 3.5 Minor 8.7.0 Zimbra
102637 XSS CWE-79 CVE-2016-3409 4.3 Minor 8.7.0 Peter Nguyen
102276 CWE-502 CVE-2016-3415 5.8 Major 8.7.0 Zimbra
102227 CWE-502 n/a 7.5 Major 8.7.0 Upstream, see
CVE-2015-4852
102029 CWE-674 CVE-2016-3414 4.0 Minor 8.6.0 Patch7
8.7.0
Zimbra
101813 XSS CWE-79 CVE-2016-3408 4.3 Minor 8.7.0 Volexity
100885
100899
CSRF CWE-352 CVE-2016-3403 5.8 Major 8.6.0 Patch8
8.7.0
Sysdream
99810 - CVE-2016-3401 3.5 Minor 8.7.0 Zimbra
99167 - CVE-2016-3402 2.6 Minor 8.7.0 Zimbra
101435
101436
Persistent XSS CWE-79 CVE-2015-7609 6.4
2.3
Major 8.6.0 Patch5
8.7.0
Fortinet's FortiGuard Labs
101559
100133
99854
99914
96973
XSS CWE-79 CVE-2015-2249 3.5 Minor 8.6.0 Patch5
8.7.0
Zimbra
99236 XSS Vuln in YUI components in ZCS n/a 4.3 Minor 8.6.0 Patch5 Upstream, see
CVE-2012-5881
CVE-2012-5882
CVE-2012-5883
98358
98216
98215
Non-Persistent XSS CWE-79 CVE-2015-2249 4.3 Minor 8.6.0 Patch2
8.7.0
Cure53
97625 Non-Persistent XSS CWE-79 CVE-2015-2230 3.5 Minor 8.6.0 Patch2 MWR InfoSecurity
96105 Improper Input Validation CWE-20 CVE-2014-8563 5.8 Major 8.0.9
8.5.1
8.6.0
 -
83547 CSRF Vulnerability CWE-352 CVE-2015-6541 5.8 Major 8.5.0 iSEC Partners, Sysdream
87412
92825
92833
92835
XSS Vulnerabilities CWE-79
(8.0.7 Patch
contains 87412)
CVE-2014-5500 4.3 Minor 8.0.8
8.5.0
 -
83550 Session Fixation CWE-384 CVE-2013-5119 5.8 Major 8.5.0
91484 Patch ZCS8 OpenSSL for CVE-2014-0224 n/a 6.8 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
Upstream, see
CVE-2014-0224
88708 Patch ZCS8 OpenSSL for CVE-2014-0160 n/a 5.0 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
8.0.7
Upstream, see
CVE-2014-0160
85499 Upgrade to OpenSSL 1.0.1f n/a 4.3
4.3
5.8
Major 8.0.7 Upstream, see
CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
84547 XXE CWE-611 CVE-2013-7217 6.4
(not 10.0)
Critical 7.2.2_Patch3
7.2.3_Patch
7.2.4_Patch2
7.2.5_Patch
7.2.6
8.0.3_Patch3
8.0.4_Patch2
8.0.5_Patch
8.0.6
Private
85478 XSS vulnerability in message view - 6.4 Major 8.0.7 Alban Diquet
of iSEC Partners
85411 Local root privilege escalation - 6.2 Major 8.0.7 Matthew David
85000 Patch nginx for CVE-2013-4547 n/a 7.5 Major 7.2.7
8.0.7
Upstream, see
CVE-2013-4547

80450
80131
80445
80132

Upgrade to JDK 1.6 u41
Upgrade OpenSSL to 1.0.0k
Upgrade to JDK 1.7u15+
Upgrade to OpenSSL 1.0.1d
n/a 2.6 Minor 7.2.3
7.2.3
8.0.3
8.0.3
Upstream, see
CVE-2013-0169
80338 Local file inclusion via skin/branding feature CWE-22 CVE-2013-7091 5.0 Critical 6.0.16_Patch
7.1.1_Patch6
7.1.3_Patch3
7.2.2_Patch2
7.2.3
8.0.2_Patch
8.0.3
Private
77655 Separate keystore for CAs used for X509 authentication - 5.8 Major 8.0.7 Private
75424 Upgrade to Clamav 0.97.5 n/a 4.3
4.3
4.3
Minor 7.2.1 Upstream, see
CVE-2012-1457
CVE-2012-1458
CVE-2012-1459
64981 Do not allow HTTP GET for login - 6.8 Major 7.1.3_Patch
7.1.4
Private

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »


Jump to: navigation, search