Difference between revisions of "Zimbra Security Advisories"

(8.8.12 release includes SSRF fixes for CVE-2019-9621 and CVE-2019-6981)
m (add/update links for CVE-IDs)
Line 259: Line 259:
 
</td>
 
</td>
 
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2018-10948</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td>
 
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 319: Line 319:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td>
 
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 330: Line 330:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-5721</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 341: Line 341:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3999</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 351: Line 351:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td>
 
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td>
 
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td>
<td>CVE-2016-4019</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 362: Line 362:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td>
 
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
 
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2016-3406</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 375: Line 375:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3407</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 389: Line 389:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3412</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 399: Line 399:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td>
 
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td>
 
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td>
<td>CVE-2016-3413</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 410: Line 410:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td>
 
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
 
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2016-3405</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 420: Line 420:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td>
 
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
 
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2016-3404</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 434: Line 434:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3410</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 444: Line 444:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3411</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 454: Line 454:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3409</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 464: Line 464:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td>
 
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
 
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
<td>CVE-2016-3415</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>Major</td>
 
<td>Major</td>
Line 484: Line 484:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td>
 
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td>
 
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td>
<td>CVE-2016-3414</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 494: Line 494:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3408</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 505: Line 505:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td>
 
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
 
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>Major</td>
 
<td>Major</td>
Line 515: Line 515:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td>
 
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
 
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
<td>CVE-2016-3401</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 525: Line 525:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td>
 
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
 
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
<td>CVE-2016-3402</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 536: Line 536:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td>
 
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-7609</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td>
 
<td>Major</td>
 
<td>Major</td>
Line 550: Line 550:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-2249</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 572: Line 572:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td>
 
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-2249</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 582: Line 582:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td>
 
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-2230</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 592: Line 592:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td>
 
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td>
 
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td>
<td>CVE-2014-8563</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>Major</td>
 
<td>Major</td>
Line 602: Line 602:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td>
 
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
 
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2015-6541</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>Major</td>
 
<td>Major</td>
Line 615: Line 615:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td>
 
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td>
 
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td>
<td>CVE-2014-5500</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
Line 625: Line 625:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td>
 
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td>
 
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td>
 
<td>Major</td>
 
<td>Major</td>
Line 664: Line 664:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
 
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
 
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td>
 
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td>
 
<td>Critical</td>
 
<td>Critical</td>
Line 715: Line 715:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
 
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td>
 
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td>
+
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td>
 
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
 
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
 
<td>Critical</td>
 
<td>Critical</td>

Revision as of 14:29, 10 April 2019

Zimbra Security Advisories

Overview

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

Zimbra Collaboration - Security Vulnerability Advisories

Note: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.
(going back to ZCS 7.1.3)

Bug# Summary CVE-ID CVSS
Score
Zimbra
Rating
Fix Release or
Patch Version
Reporter
109124 Non-Persistent XSS CWE-79 CVE-2019-8947 2.6 Minor - Issam Rabhi of Sysdream
109123 Persistent XSS CWE-79 CVE-2019-8946 2.6 Minor - Issam Rabhi of Sysdream
109122 Persistent XSS CWE-79 CVE-2019-8945 3.5 Minor - Issam Rabhi of Sysdream
109117 Persistent XSS CWE-79 - 3.5 Minor - Mondher Smii
109127 SSRF CWE-918 / CWE-807 CVE-2019-9621 4.0 Minor 8.8.12 An Trinh
109096 Blind SSRF CWE-918 CVE-2019-6981 4.0 Minor 8.8.12 An Trinh
109129 XXE CWE-611
(8.7.x only)
CVE-2019-9670 6.4 Major 8.7.11 Patch10 Khanh Viet Pham
An Trinh
109097 Insecure object deserialization CWE-502 CVE-2019-6980 5.4 Major 8.7.11 Patch9
8.8.10 Patch7
8.8.11 Patch3
An Trinh
109093 XXE CWE-611 CVE-2018-20160 6.4 Major 8.7.x see 109129 above
8.8.9 Patch9
8.8.10 Patch5
8.8.11 Patch1
An Trinh
109017 Non-Persistent XSS CWE-79 CVE-2018-14013 4.3 Minor 8.7.11 Patch8
8.8.9 Patch9
8.8.10 Patch5
8.8.11
Issam Rabhi of Sysdream
109020 Persistent XSS CWE-79 CVE-2018-18631 5.0 Major 8.7.11 Patch7
8.8.9 Patch7
8.8.10 Patch2
Netragard
109018 Non-Persistent CWE-79 CVE-2018-14013 2.6 Minor 8.7.11 Patch7
8.8.9 Patch6
8.8.10 Patch1
Issam Rabhi of Sysdream
109021 Limited Content Spoofing CWE-345 CVE-2018-17938 4.3 Minor 8.8.10 Sumit Sahoo
109012 Account Enumeration CWE-203 CVE-2018-15131 5.0 Major 8.7.11 Patch6
8.8.8 Patch9
8.8.9 Patch3
Danielle Deibler
108970 Persistent XSS CWE-79 CVE-2018-14425 3.5 Minor 8.8.8 Patch7
8.8.9 Patch1
Diego Di Nardo
108902 Persistent XSS CWE-79 CVE-2018-10939 3.5 Minor 8.6.0 Patch11
8.7.11 Patch4
8.8.8 Patch4
Diego Di Nardo
108963 Verbose Error Messages CWE-209 CVE-2018-10950 3.5 Minor 8.7.11 Patch3
8.8.8
Netragard
108962 Account Enumeration CWE-203 CVE-2018-10949 5.0 Major 8.7.11 Patch3
8.8.8
Netragard
108894 Persistent XSS CWE-199 CVE-2018-10951 3.6 Minor 8.6.0 Patch10
8.7.11 Patch3
8.8.8
Netragard
97579 CSRF CWE-352 CVE-2015-7610 5.8 Major 8.6.0 Patch10
8.7.11 Patch2
8.8.8 Patch1
Fortinet's FortiGuard Labs
108786 Persistent XSS CWE-79 CVE-2018-6882 4.3 Minor 8.6.0 Patch10
8.7.11 Patch1
8.8.7
8.8.8
Stephan Kaag of Securify
108265 Persistent XSS CWE-79 CVE-2017-17703 4.3 Minor 8.6.0 Patch9
8.7.11 Patch1
8.8.3
Veit Hailperin
107963 Host header injection CWE-20 - 4.3 Minor 8.8.0 Beta2 -
107948

107949

Persistent XSS CWE-79 CVE-2018-10948 3.5 Minor 8.6.0 Patch10
8.7.11 Patch3
8.8.0 Beta2
Lucideus
Phil Pearl
107925 Persistent XSS - snippet CWE-79 CVE-2017-8802 3.5 Minor 8.6.0 Patch9
8.7.11 Patch1
8.8.0 Beta2
Compass Security
107878 Persistent XSS - location CWE-79 CVE-2017-8783 4.0 Minor 8.7.10 Stephan Kaag of Securify
107712 Improper limitation of file paths CWE-22 CVE-2017-6821 4.0 Minor 8.7.6 Greg Solovyev, Phil Pearl
107684 Improper handling of privileges CWE-280 CVE-2017-6813 4.0 Major 8.6.0 Patch9
8.7.6
Greg Solovyev
106811 XXE CWE-611 CVE-2016-9924 5.8 Major 8.6.0 Patch10
8.7.4
Alastair Gray
106612 Persistent XSS CWE-79 CVE-2017-7288 4.3 Minor 8.6.0 Patch11
8.7.1
Sammy Forgit
105001
105174
XSS CWE-79 CVE-2016-5721 4.3
2.1
Minor 8.6.0 Patch11
8.7.0
Secu
104552
104703
XSS CWE-79 CVE-2016-3999 4.3 Minor 8.7.0 Nam Habach
104477 Open Redirect CWE-601 CVE-2016-4019 4.3 Minor 8.7.0 Zimbra
104294
104456
CSRF CWE-352 CVE-2016-3406 2.6 Minor 8.6.0 Patch8
8.7.0
Zimbra
104222

104910
105071

105175
XSS CWE-79 CVE-2016-3407 4.3
3.5
4.3
2.1
Minor 8.6.0 Patch11
8.7.0
Zimbra
103997

104413
104414
104777

104791
XSS CWE-79 CVE-2016-3412 3.5 Minor 8.7.0 Zimbra
103996 XXE (Admin) CWE-611- CVE-2016-3413 2.6 Minor 8.6.0 Patch11
8.7.0
Zimbra
103961
104828
CSRF CWE-352 CVE-2016-3405 4.3 Minor 8.6.0 Patch8
8.7.0
Zimbra
103959 CSRF CWE-352 CVE-2016-3404 4.3 Minor 8.6.0 Patch8
8.7.0
Zimbra
103956

103995
104475
104838

104839
XSS CWE-79 CVE-2016-3410 4.3 Minor 8.6.0 Patch11
8.7.0
Zimbra
103609 XSS CWE-79 CVE-2016-3411 3.5 Minor 8.6.0 Patch11
8.7.0
Zimbra
102637 XSS CWE-79 CVE-2016-3409 4.3 Minor 8.6.0 Patch11
8.7.0
Peter Nguyen
102276 Deserialization of Untrusted Data CWE-502 CVE-2016-3415 5.8 Major 8.7.0 Zimbra
102227 Deserialization of Untrusted Data CWE-502 n/a 7.5 Major 8.7.0 Upstream, see
CVE-2015-4852
102029 CWE-674 CVE-2016-3414 4.0 Minor 8.6.0 Patch7
8.7.0
Zimbra
101813 XSS CWE-79 CVE-2016-3408 4.3 Minor 8.6.0 Patch11
8.7.0
Volexity
100885
100899
CSRF CWE-352 CVE-2016-3403 5.8 Major 8.6.0 Patch8
8.7.0
Sysdream
99810 CWE-284 CWE-203 CVE-2016-3401 3.5 Minor 8.7.0 Zimbra
99167 Account Enumeration CWE-203 CVE-2016-3402 2.6 Minor 8.7.0 Zimbra
101435
101436
Persistent XSS CWE-79 CVE-2015-7609 6.4
2.3
Major 8.6.0 Patch5
8.7.0
Fortinet's FortiGuard Labs
101559

100133
99854
99914

96973
XSS CWE-79 CVE-2015-2249 3.5 Minor 8.6.0 Patch5
8.7.0
Zimbra
99236 XSS Vuln in YUI components in ZCS n/a 4.3 Minor 8.6.0 Patch5 Upstream, see
CVE-2012-5881
CVE-2012-5882
CVE-2012-5883
98358

98216

98215
Non-Persistent XSS CWE-79 CVE-2015-2249 4.3 Minor 8.6.0 Patch2
8.7.0
Cure53
97625 Non-Persistent XSS CWE-79 CVE-2015-2230 3.5 Minor 8.6.0 Patch2 MWR InfoSecurity
96105 Improper Input Validation CWE-20 CVE-2014-8563 5.8 Major 8.0.9
8.5.1
8.6.0
 -
83547 CSRF Vulnerability CWE-352 CVE-2015-6541 5.8 Major 8.5.0 iSEC Partners, Sysdream
87412

92825
92833

92835
XSS Vulnerabilities CWE-79
(8.0.7 Patch
contains 87412)
CVE-2014-5500 4.3 Minor 8.0.8
8.5.0
 -
83550 Session Fixation CWE-384 CVE-2013-5119 5.8 Major 8.5.0
91484 Patch ZCS8 OpenSSL for CVE-2014-0224 n/a 6.8 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
Upstream, see
CVE-2014-0224
88708 Patch ZCS8 OpenSSL for CVE-2014-0160 n/a 5.0 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
8.0.7
Upstream, see
CVE-2014-0160
85499 Upgrade to OpenSSL 1.0.1f n/a 4.3
4.3
5.8
Major 8.0.7 Upstream, see
CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
84547 XXE CWE-611 CVE-2013-7217 6.4
(not 10.0)
Critical 7.2.2_Patch3
7.2.3_Patch
7.2.4_Patch2
7.2.5_Patch
7.2.6
8.0.3_Patch3
8.0.4_Patch2
8.0.5_Patch
8.0.6
Private
85478 XSS vulnerability in message view - 6.4 Major 8.0.7 Alban Diquet
of iSEC Partners
85411 Local root privilege escalation - 6.2 Major 8.0.7 Matthew David
85000 Patch nginx for CVE-2013-4547 n/a 7.5 Major 7.2.7
8.0.7
Upstream, see
CVE-2013-4547

80450
80131
80445
80132

Upgrade to JDK 1.6 u41
Upgrade OpenSSL to 1.0.0k
Upgrade to JDK 1.7u15+
Upgrade to OpenSSL 1.0.1d
n/a 2.6 Minor 7.2.3
7.2.3
8.0.3
8.0.3
Upstream, see
CVE-2013-0169
80338 Local file inclusion via skin/branding feature CWE-22 CVE-2013-7091 5.0 Critical 6.0.16_Patch
7.1.1_Patch6
7.1.3_Patch3
7.2.2_Patch2
7.2.3
8.0.2_Patch
8.0.3
Private
77655 Separate keystore for CAs used for X509 authentication - 5.8 Major 8.0.7 Private
75424 Upgrade to Clamav 0.97.5 n/a 4.3
4.3
4.3
Minor 7.2.1 Upstream, see
CVE-2012-1457
CVE-2012-1458
CVE-2012-1459
64981 Do not allow HTTP GET for login - 6.8 Major 7.1.3_Patch
7.1.4
Private

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »


Jump to: navigation, search