Zimbra Security Advisories: Difference between revisions
No edit summary |
Saket.patel (talk | contribs) No edit summary |
||
(19 intermediate revisions by 3 users not shown) | |||
Line 23: | Line 23: | ||
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th> | <th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th> | ||
</tr> | </tr> | ||
<tr> | |||
<td></td> | |||
<td>Upgraded OpenSSL to 1.1.1q avoid multiple vulnerabilities.</td> | |||
<td></td> | |||
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 9.8]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2022-2068 CVE-2022-2068]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Cyrus SASL package has been upgraded to version 2.1.28.</td> | |||
<td></td> | |||
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 8.8]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2022-24407 CVE-2022-24407]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded Log4j to v2.</td> | |||
<td></td> | |||
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 10.0]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2021-44228 CVE-2021-44228], [https://nvd.nist.gov/vuln/detail/CVE-2021-45105 CVE-2021-45105], [https://nvd.nist.gov/vuln/detail/CVE-2019-17571 CVE-2019-17571]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability.</td> | |||
<td></td> | |||
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 7.5]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td> | |||
<td>Upstream, see [https://access.redhat.com/security/cve/cve-2022-0778 CVE-2022-0778]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2021-28165 CVE-2021-28165]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded mina-core to version 2.1.6.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0231 CVE-2019-0231]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Memcached poisoning with unauthenticated request.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-27924 CVE-2022-27924]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 24<br />8.8.15 Patch 31</td> | |||
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>RCE through mboximport from authenticated user.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-27925 CVE-2022-27925]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.2]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 24<br />8.8.15 Patch 31</td> | |||
<td>Mikhail Klyuchnikov of [https://www.ptsecurity.com Positive Technologies]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS vulnerability in calendar in classic html client using /h/calendar. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-24682 CVE-2022-24682]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td nowrap>8.8.15 Patch 30</td> | |||
<td>Steven Adair and Thomas Lancaster of [https://www.volexity.com/ Volexity]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Proxy Servlet Open Redirect Vulnerability</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35209 CVE-2021-35209]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td> | |||
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Open Redirect Vulnerability in preauth servlet</td> | |||
<td> [https://nvd.nist.gov/vuln/detail/CVE-2021-34807 CVE-2021-34807]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td> | |||
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Stored XSS Vulnerability in ZmMailMsgView.java</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35208 CVE-2021-35208]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.4]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td> | |||
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS vulnerability in Zimbra Web Client via loginErrorCode</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35207 CVE-2021-35207]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>Critical</td> | |||
<td>9.0.0 Patch 13</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-9641 CVE-2019-9641], [https://nvd.nist.gov/vuln/detail/CVE-2019-9640 CVE-2019-9640]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>Critical</td> | |||
<td>8.8.15 Patch 20</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-9641 CVE-2019-9641], [https://nvd.nist.gov/vuln/detail/CVE-2019-9640 CVE-2019-9640]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td> | |||
<td>High</td> | |||
<td>9.0.0 Patch 13</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0211 CVE-2019-0211], [https://nvd.nist.gov/vuln/detail/CVE-2019-0217 CVE-2019-0217]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td> | |||
<td>High</td> | |||
<td>8.8.15 Patch 20</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0211 CVE-2019-0211], [https://nvd.nist.gov/vuln/detail/CVE-2019-0217 CVE-2019-0217]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td> | |||
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.5]</td> | |||
<td>Medium</td> | |||
<td>9.0.0 Patch 10</td> | |||
<td>Primerica</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.5]</td> | |||
<td>Medium</td> | |||
<td>8.8.15 Patch 17</td> | |||
<td>Primerica</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] vulnerability in tinymce</td> | |||
<td nowrap>n/a</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td>9.0.0 Patch 5</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-1010091 CVE-2019-1010091]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Memory Leak in nodejs library [https://github.com/sindresorhus/mem mem]</td> | |||
<td nowrap>n/a</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.5]</td> | |||
<td>Medium</td> | |||
<td>9.0.0 Patch 5</td> | |||
<td>Upstream, see [https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0236 WS-2018-0236]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Persistent XSS</td> | |||
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-13653 CVE-2020-13653] </td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Minor</td> | |||
<td>8.8.15 Patch 11<br />9.0.0 Patch 4</td> | |||
<td>Telenet</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Unrestricted Upload of File with Dangerous Type [https://cwe.mitre.org/data/definitions/434.html CWE-434]</td> | |||
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-12846 CVE-2020-12846] </td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.0]</td> | |||
<td>Minor</td> | |||
<td>8.8.16 Patch 10<br />9.0.0 Patch 3 </td> | |||
<td>Telenet</td> | |||
</tr> | |||
<tr> | <tr> | ||
Line 28: | Line 263: | ||
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | <td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | ||
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-11737 CVE-2020-11737] </td> | <td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-11737 CVE-2020-11737] </td> | ||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 3 | <td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td> | ||
<td>Minor</td> | <td>Minor</td> | ||
<td>9.0.0 Patch 2 </td> | <td>9.0.0 Patch 2 </td> |
Revision as of 12:00, 2 August 2022
Zimbra Security Advisories
Overview
The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:
- Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html
- Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html
Zimbra Collaboration - Security Vulnerability Advisories
Note: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.
(going back to ZCS 7.1.3)
Bug# | Summary | CVE-ID | CVSS Score |
Zimbra Rating |
Fix Release or Patch Version |
Reporter |
---|---|---|---|---|---|---|
Upgraded OpenSSL to 1.1.1q avoid multiple vulnerabilities. | 9.8 | Low | 9.0.0 Patch 26 8.8.15 Patch 33 |
Upstream, see CVE-2022-2068 | ||
Cyrus SASL package has been upgraded to version 2.1.28. | 8.8 | Low | 9.0.0 Patch 26 8.8.15 Patch 33 |
Upstream, see CVE-2022-24407 | ||
Upgraded Log4j to v2. | 10.0 | Low | 9.0.0 Patch 25 8.8.15 Patch 32 |
Upstream, see CVE-2021-44228, CVE-2021-45105, CVE-2019-17571 | ||
Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. | 7.5 | Low | 9.0.0 Patch 25 8.8.15 Patch 32 |
Upstream, see CVE-2022-0778 | ||
Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. | 7.5 | Low | 9.0.0 Patch 25 8.8.15 Patch 32 |
Upstream, see CVE-2021-28165 | ||
Upgraded mina-core to version 2.1.6. | 7.5 | Low | 9.0.0 Patch 25 8.8.15 Patch 32 |
Upstream, see CVE-2019-0231 | ||
Memcached poisoning with unauthenticated request. | CVE-2022-27924 | 7.5 | Medium | 9.0.0 Patch 24 8.8.15 Patch 31 |
Simon Scannell of Sonarsource | |
RCE through mboximport from authenticated user. | CVE-2022-27925 | 7.2 | Medium | 9.0.0 Patch 24 8.8.15 Patch 31 |
Mikhail Klyuchnikov of Positive Technologies | |
XSS vulnerability in calendar in classic html client using /h/calendar. | CVE-2022-24682 | 6.1 | Medium | 8.8.15 Patch 30 | Steven Adair and Thomas Lancaster of Volexity | |
Proxy Servlet Open Redirect Vulnerability | CVE-2021-35209 | 9.8 | Medium | 9.0.0 Patch 16 8.8.15 Patch 23 |
Simon Scannell of Sonarsource | |
Open Redirect Vulnerability in preauth servlet | CVE-2021-34807 | 6.1 | Low | 9.0.0 Patch 16 8.8.15 Patch 23 |
Simon Scannell of Sonarsource | |
Stored XSS Vulnerability in ZmMailMsgView.java | CVE-2021-35208 | 5.4 | Medium | 9.0.0 Patch 16 8.8.15 Patch 23 |
Simon Scannell of Sonarsource | |
XSS vulnerability in Zimbra Web Client via loginErrorCode | CVE-2021-35207 | 6.1 | Medium | 9.0.0 Patch 16 8.8.15 Patch 23 |
||
Heap-based buffer overflow vulnerabilities in PHP < 7.3.10 | 9.8 | Critical | 9.0.0 Patch 13 | Upstream, see CVE-2019-9641, CVE-2019-9640 | ||
Heap-based buffer overflow vulnerabilities in PHP < 7.3.10 | 9.8 | Critical | 8.8.15 Patch 20 | Upstream, see CVE-2019-9641, CVE-2019-9640 | ||
Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. | 7.8 | High | 9.0.0 Patch 13 | Upstream, see CVE-2019-0211, CVE-2019-0217 | ||
Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. | 7.8 | High | 8.8.15 Patch 20 | Upstream, see CVE-2019-0211, CVE-2019-0217 | ||
XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition) | CVE-2020-35123 | 6.5 | Medium | 9.0.0 Patch 10 | Primerica | |
XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition) | CVE-2020-35123 | 6.5 | Medium | 8.8.15 Patch 17 | Primerica | |
XSS CWE-79 vulnerability in tinymce | n/a | 6.1 | Medium | 9.0.0 Patch 5 | Upstream, see CVE-2019-1010091 | |
Memory Leak in nodejs library mem | n/a | 5.5 | Medium | 9.0.0 Patch 5 | Upstream, see WS-2018-0236 | |
Persistent XSS | CVE-2020-13653 | 6.1 | Minor | 8.8.15 Patch 11 9.0.0 Patch 4 |
Telenet | |
Unrestricted Upload of File with Dangerous Type CWE-434 | CVE-2020-12846 | 6.0 | Minor | 8.8.16 Patch 10 9.0.0 Patch 3 |
Telenet | |
Persistent XSS CWE-79 | CVE-2020-11737 | 4.3 | Minor | 9.0.0 Patch 2 | Zimbra | |
109174 | Non-Persistent XSS CWE-79 | CVE-2019-12427 | 4.3 | Minor | 8.8.15 Patch 1 | Meridian Miftari |
109141 | Non-Persistent XSS CWE-79 | CVE-2019-15313 | 4.3 | Minor | 8.8.15 Patch 1 | Quang Bui |
109124 | Non-Persistent XSS CWE-79 | CVE-2019-8947 | 2.6 | Minor | - | Issam Rabhi of Sysdream |
109123 | Persistent XSS CWE-79 | CVE-2019-8946 | 2.6 | Minor | - | Issam Rabhi of Sysdream |
109122 | Persistent XSS CWE-79 | CVE-2019-8945 | 3.5 | Minor | - | Issam Rabhi of Sysdream |
109117 | Persistent XSS CWE-79 | CVE-2019-11318 | 3.5 | Minor | 8.8.12 Patch 1 | Mondher Smii |
109127 | SSRF CWE-918 / CWE-807 | CVE-2019-9621 | 4.0 | Minor | 8.7.11 Patch11 8.8.9 Patch10 8.8.10 Patch8 8.8.11 Patch4 8.8.12 |
An Trinh |
109096 | Blind SSRF CWE-918 | CVE-2019-6981 | 4.0 | Minor | 8.7.11 Patch11 8.8.9 Patch10 8.8.10 Patch8 8.8.11 Patch4 8.8.12 |
An Trinh |
109129 | XXE CWE-611 (8.7.x only) |
CVE-2019-9670 | 6.4 | Major | 8.7.11 Patch10 | Khanh Van Pham An Trinh |
109097 | Insecure object deserialization CWE-502 | CVE-2019-6980 | 5.4 | Major | 8.7.11 Patch9 8.8.9 Patch10 8.8.10 Patch7 8.8.11 Patch3 8.8.12 |
An Trinh |
109093 | XXE CWE-611 | CVE-2018-20160 | 6.4 | Major | 8.7.x see 109129 above 8.8.9 Patch9 8.8.10 Patch5 8.8.11 Patch1 8.8.12 |
An Trinh |
109017 | Non-Persistent XSS CWE-79 | CVE-2018-14013 | 4.3 | Minor | 8.7.11 Patch8 8.8.9 Patch9 8.8.10 Patch5 8.8.11 |
Issam Rabhi of Sysdream |
109020 | Persistent XSS CWE-79 | CVE-2018-18631 | 5.0 | Major | 8.7.11 Patch7 8.8.9 Patch7 8.8.10 Patch2 8.8.11 |
Netragard |
109018 | Non-Persistent CWE-79 | CVE-2018-14013 | 2.6 | Minor | 8.7.11 Patch7 8.8.9 Patch6 8.8.10 Patch1 8.8.11 |
Issam Rabhi of Sysdream |
109021 | Limited Content Spoofing CWE-345 | CVE-2018-17938 | 4.3 | Minor | 8.8.10 | Sumit Sahoo |
109012 | Account Enumeration CWE-203 | CVE-2018-15131 | 5.0 | Major | 8.7.11 Patch6 8.8.8 Patch9 8.8.9 Patch3 |
Danielle Deibler |
108970 | Persistent XSS CWE-79 | CVE-2018-14425 | 3.5 | Minor | 8.8.8 Patch7 8.8.9 Patch1 |
Diego Di Nardo |
108902 | Persistent XSS CWE-79 | CVE-2018-10939 | 3.5 | Minor | 8.6.0 Patch11 8.7.11 Patch4 8.8.8 Patch4 |
Diego Di Nardo |
108963 | Verbose Error Messages CWE-209 | CVE-2018-10950 | 3.5 | Minor | 8.7.11 Patch3 8.8.8 |
Netragard |
108962 | Account Enumeration CWE-203 | CVE-2018-10949 | 5.0 | Major | 8.7.11 Patch3 8.8.8 |
Netragard |
108894 | Persistent XSS CWE-199 | CVE-2018-10951 | 3.6 | Minor | 8.6.0 Patch10 8.7.11 Patch3 8.8.8 |
Netragard |
97579 | CSRF CWE-352 | CVE-2015-7610 | 5.8 | Major | 8.6.0 Patch10 8.7.11 Patch2 8.8.8 Patch1 |
Fortinet's FortiGuard Labs |
108786 | Persistent XSS CWE-79 | CVE-2018-6882 | 4.3 | Minor | 8.6.0 Patch10 8.7.11 Patch1 8.8.7 8.8.8 |
Stephan Kaag of Securify |
108265 | Persistent XSS CWE-79 | CVE-2017-17703 | 4.3 | Minor | 8.6.0 Patch9 8.7.11 Patch1 8.8.3 |
Veit Hailperin |
107963 | Host header injection CWE-20 | - | 4.3 | Minor | 8.8.0 Beta2 | - |
107948 |
Persistent XSS CWE-79 | CVE-2018-10948 | 3.5 | Minor | 8.6.0 Patch10 8.7.11 Patch3 8.8.0 Beta2 |
Lucideus Phil Pearl |
107925 | Persistent XSS - snippet CWE-79 | CVE-2017-8802 | 3.5 | Minor | 8.6.0 Patch9 8.7.11 Patch1 8.8.0 Beta2 |
Compass Security |
107878 | Persistent XSS - location CWE-79 | CVE-2017-8783 | 4.0 | Minor | 8.7.10 | Stephan Kaag of Securify |
107712 | Improper limitation of file paths CWE-22 | CVE-2017-6821 | 4.0 | Minor | 8.7.6 | Greg Solovyev, Phil Pearl |
107684 | Improper handling of privileges CWE-280 | CVE-2017-6813 | 4.0 | Major | 8.6.0 Patch9 8.7.6 |
Greg Solovyev |
106811 | XXE CWE-611 | CVE-2016-9924 | 5.8 | Major | 8.6.0 Patch10 8.7.4 |
Alastair Gray |
106612 | Persistent XSS CWE-79 | CVE-2017-7288 | 4.3 | Minor | 8.6.0 Patch11 8.7.1 |
Sammy Forgit |
105001 105174 |
XSS CWE-79 | CVE-2016-5721 | 4.3 2.1 |
Minor | 8.6.0 Patch11 8.7.0 |
Secu |
104552 104703 |
XSS CWE-79 | CVE-2016-3999 | 4.3 | Minor | 8.7.0 | Nam Habach |
104477 | Open Redirect CWE-601 | CVE-2016-4019 | 4.3 | Minor | 8.7.0 | Zimbra |
104294 104456 |
CSRF CWE-352 | CVE-2016-3406 | 2.6 | Minor | 8.6.0 Patch8 8.7.0 |
Zimbra |
104222 105175 |
XSS CWE-79 | CVE-2016-3407 | 4.3 3.5 4.3 2.1 |
Minor | 8.6.0 Patch11 8.7.0 |
Zimbra |
103997 104791 |
XSS CWE-79 | CVE-2016-3412 | 3.5 | Minor | 8.7.0 | Zimbra |
103996 | XXE (Admin) CWE-611- | CVE-2016-3413 | 2.6 | Minor | 8.6.0 Patch11 8.7.0 |
Zimbra |
103961 104828 |
CSRF CWE-352 | CVE-2016-3405 | 4.3 | Minor | 8.6.0 Patch8 8.7.0 |
Zimbra |
103959 | CSRF CWE-352 | CVE-2016-3404 | 4.3 | Minor | 8.6.0 Patch8 8.7.0 |
Zimbra |
103956 104839 |
XSS CWE-79 | CVE-2016-3410 | 4.3 | Minor | 8.6.0 Patch11 8.7.0 |
Zimbra |
103609 | XSS CWE-79 | CVE-2016-3411 | 3.5 | Minor | 8.6.0 Patch11 8.7.0 |
Zimbra |
102637 | XSS CWE-79 | CVE-2016-3409 | 4.3 | Minor | 8.6.0 Patch11 8.7.0 |
Peter Nguyen |
102276 | Deserialization of Untrusted Data CWE-502 | CVE-2016-3415 | 5.8 | Major | 8.7.0 | Zimbra |
102227 | Deserialization of Untrusted Data CWE-502 | n/a | 7.5 | Major | 8.7.0 | Upstream, see CVE-2015-4852 |
102029 | CWE-674 | CVE-2016-3414 | 4.0 | Minor | 8.6.0 Patch7 8.7.0 |
Zimbra |
101813 | XSS CWE-79 | CVE-2016-3408 | 4.3 | Minor | 8.6.0 Patch11 8.7.0 |
Volexity |
100885 100899 |
CSRF CWE-352 | CVE-2016-3403 | 5.8 | Major | 8.6.0 Patch8 8.7.0 |
Sysdream |
99810 | CWE-284 CWE-203 | CVE-2016-3401 | 3.5 | Minor | 8.7.0 | Zimbra |
99167 | Account Enumeration CWE-203 | CVE-2016-3402 | 2.6 | Minor | 8.7.0 | Zimbra |
101435 101436 |
Persistent XSS CWE-79 | CVE-2015-7609 | 6.4 2.3 |
Major | 8.6.0 Patch5 8.7.0 |
Fortinet's FortiGuard Labs |
101559 96973 |
XSS CWE-79 | CVE-2015-2249 | 3.5 | Minor | 8.6.0 Patch5 8.7.0 |
Zimbra |
99236 | XSS Vuln in YUI components in ZCS | n/a | 4.3 | Minor | 8.6.0 Patch5 | Upstream, see CVE-2012-5881 CVE-2012-5882 CVE-2012-5883 |
98358 98215 |
Non-Persistent XSS CWE-79 | CVE-2015-2249 | 4.3 | Minor | 8.6.0 Patch2 8.7.0 |
Cure53 |
97625 | Non-Persistent XSS CWE-79 | CVE-2015-2230 | 3.5 | Minor | 8.6.0 Patch2 | MWR InfoSecurity |
96105 | Improper Input Validation CWE-20 | CVE-2014-8563 | 5.8 | Major | 8.0.9 8.5.1 8.6.0 |
- |
83547 | CSRF Vulnerability CWE-352 | CVE-2015-6541 | 5.8 | Major | 8.5.0 | iSEC Partners, Sysdream |
87412 92835 |
XSS Vulnerabilities CWE-79 (8.0.7 Patch contains 87412) |
CVE-2014-5500 | 4.3 | Minor | 8.0.8 8.5.0 |
- |
83550 | Session Fixation CWE-384 | CVE-2013-5119 | 5.8 | Major | 8.5.0 | - |
91484 | Patch ZCS8 OpenSSL for CVE-2014-0224 | n/a | 6.8 | Major |
8.0.3+Patch 8.0.4+Patch 8.0.5+Patch 8.0.6+Patch 8.0.7+Patch |
Upstream, see CVE-2014-0224 |
88708 | Patch ZCS8 OpenSSL for CVE-2014-0160 | n/a | 5.0 | Major |
8.0.3+Patch 8.0.4+Patch 8.0.5+Patch 8.0.6+Patch 8.0.7+Patch 8.0.7 |
Upstream, see CVE-2014-0160 |
85499 | Upgrade to OpenSSL 1.0.1f | n/a | 4.3 4.3 5.8 |
Major | 8.0.7 | Upstream, see CVE-2013-4353 CVE-2013-6449 CVE-2013-6450 |
84547 | XXE CWE-611 | CVE-2013-7217 | 6.4 (not 10.0) |
Critical | 7.2.2_Patch3 7.2.3_Patch 7.2.4_Patch2 7.2.5_Patch 7.2.6 8.0.3_Patch3 8.0.4_Patch2 8.0.5_Patch 8.0.6 |
Private |
85478 | XSS vulnerability in message view | - | 6.4 | Major | 8.0.7 | Alban Diquet of iSEC Partners |
85411 | Local root privilege escalation | - | 6.2 | Major | 8.0.7 | Matthew David |
85000 | Patch nginx for CVE-2013-4547 | n/a | 7.5 | Major | 7.2.7 8.0.7 |
Upstream, see CVE-2013-4547 |
Upgrade to JDK 1.6 u41 Upgrade OpenSSL to 1.0.0k Upgrade to JDK 1.7u15+ Upgrade to OpenSSL 1.0.1d |
n/a | 2.6 | Minor | 7.2.3 7.2.3 8.0.3 8.0.3 |
Upstream, see CVE-2013-0169 |
|
80338 | Local file inclusion via skin/branding feature CWE-22 | CVE-2013-7091 | 5.0 | Critical | 6.0.16_Patch 7.1.1_Patch6 7.1.3_Patch3 7.2.2_Patch2 7.2.3 8.0.2_Patch 8.0.3 |
Private |
77655 | Separate keystore for CAs used for X509 authentication | - | 5.8 | Major | 8.0.7 | Private |
75424 | Upgrade to Clamav 0.97.5 | n/a | 4.3 4.3 4.3 |
Minor | 7.2.1 | Upstream, see CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 |
64981 | Do not allow HTTP GET for login | - | 6.8 | Major | 7.1.3_Patch 7.1.4 |
Private |
Try Zimbra
Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »
Want to get involved?
You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »
Other Help Resources
Visit the User Help Page »
Visit the Official Forums »
Zimbra Documentation Page »
Looking for a Video?
Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »