Zimbra Security Advisories: Difference between revisions

mNo edit summary
 
(83 intermediate revisions by 5 users not shown)
Line 11: Line 11:
</ul>
</ul>
===Zimbra Collaboration - Security Vulnerability Advisories===
===Zimbra Collaboration - Security Vulnerability Advisories===
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p>
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p>
<div class="col-md-12">
<div class="col-md-12">
     <table class="table table-striped table-condensed">
     <table class="table table-striped table-condensed">
Line 22: Line 22:
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th>
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th>
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th>
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th>
</tr>
<tr>
<td>&nbsp;</td>
<td>A possible Cross-site Scripting (XSS) security vulnerability has been fixed </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-34192 CVE-2023-34192]</td>
<td> TBD </td>
<td> High</td>
<td nowrap>8.8.15 Patch 40</td>
<td>Skay, Noah-Lab</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package  </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-34193 CVE-2023-34193]</td>
<td> TBD </td>
<td> Medium </td>
<td nowrap>Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td>
<td>Rudransh Jani of Ownux Global</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-25690 CVE-2023-25690]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
<td> Low</td>
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td>
<td>Jabetto</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>Remove unused JSP file which may bypass the Preauth verification </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-29382 CVE-2023-29382]</td>
<td> TBD </td>
<td> Low</td>
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td>
<td>Skay, Noah-Lab</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-46364 CVE-2022-46364]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
<td> Low</td>
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td>
<td>Atos Worldline</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-22970 CVE-2022-22971 CVE-2022-22970 CVE-2022-22971]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.3]</td>
<td> Low</td>
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td>
<td>Stuart Williamson, Visa Digital Ticketing</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>Added additional validations for 2FA login. </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-29381 CVE-2023-29381]</td>
<td> TBD </td>
<td> Medium</td>
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td>
<td>Technik BNV-GZ</td>
</tr>
<tr>
<td></td>
<td>The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-20032 CVE-2023-20032]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
<td>High</td>
<td nowrap>9.0.0 Patch 31<br />8.8.15 Patch 38</td>
<td></td>
</tr>
<tr>
<td></td>
<td>Multiple security issues related possibility of RXSS attack related to printing messages and appointments have been fixed.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-24031 CVE-2023-24031]</td>
<td>TBD</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 30</td>
<td> Marco Ortisi <br /> Valentin T.</td>
</tr>
<tr>
<td></td>
<td>The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-0286 CVE-2023-0286]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.4]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td>
<td></td>
</tr>
<tr>
<td></td>
<td>Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-24030 CVE-2023-24030]</td>
<td>TBD</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td>
<td>Ali Dinifar</td>
</tr>
<tr>
<td></td>
<td>Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-24032 CVE-2023-26562]</td>
<td>TBD</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td>
<td></td>
</tr>
<tr>
<td></td>
<td>Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-24032 CVE-2023-24032]</td>
<td>TBD</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td>
<td>Ali Dinifar</td>
</tr>
<tr>
<td></td>
<td>The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-25032 CVE-2018-25032]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td>
<td></td>
</tr>
<tr>
<td></td>
<td>XSS can occur in Classic UI login page by injecting arbitrary javascript code.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-45911 CVE-2022-45911]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 28</td>
<td>National Examinations Council of Tanzania (NECTA)</td>
</tr>
<tr>
<td></td>
<td>RCE through ClientUploader from authenticated admin user.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-45912 CVE-2022-45912]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.2]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 28<br />8.8.15 Patch 35</td>
<td>Strio</td>
</tr>
<tr>
<td></td>
<td>XSS can occur via one of attribute in webmail urls, leading to information disclosure.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-45913 CVE-2022-45913]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 28<br />8.8.15 Patch 35</td>
<td>Kim Yong-Jin </td>
</tr>
<tr>
<td></td>
<td>The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-26377 CVE-2022-26377]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 28<br />8.8.15 Patch 35</td>
<td></td>
</tr>
<tr>
<td></td>
<td>The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-20770 CVE-2022-20770] <br />[https://nvd.nist.gov/vuln/detail/CVE-2022-20771 CVE-2022-20771]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 28<br />8.8.15 Patch 35</td>
<td></td>
</tr>
<tr>
<td></td>
<td>YUI dependency is removed from WebClient and Admin Console.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-6780 CVE-2013-6780]</td>
<td>TBD</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 28</td>
<td></td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80716 80716]</td>
<td>An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41352 CVE-2022-41352]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
<td>Major</td>
<td nowrap>9.0.0 Patch 27<br />8.8.15 Patch 34</td>
<td>Yeak Nai Siew</td>
</tr>
<tr>
<td></td>
<td>Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37393 CVE-2022-37393]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 27<br />8.8.15 Patch 34</td>
<td>Darren Martyn</td>
</tr>
<tr>
<td></td>
<td>XSS can occur via one of the attribute of an IMG element, leading to information disclosure.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41348 CVE-2022-41348]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 27</td>
<td>Synacktiv</td>
</tr>
<tr>
<td></td>
<td>XSS can occur via one of attribute in search component of webmail, leading to information disclosure.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41350 CVE-2022-41350]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Medium</td>
<td nowrap>8.8.15 Patch 34</td>
<td>Tin Pham aka TF1T of VietSunshine Cyber Security Services</td>
</tr>
<tr>
<td></td>
<td>XSS can occur via one of attribute in compose component of webmail, leading to information disclosure.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41349 CVE-2022-41349]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Medium</td>
<td nowrap>8.8.15 Patch 34</td>
<td>Tin Pham aka TF1T of VietSunshine Cyber Security Services</td>
</tr>
<tr>
<td></td>
<td>XSS can occur via one of attribute in calendar component of webmail, leading to information disclosure.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41351 CVE-2022-41351]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Medium</td>
<td nowrap>8.8.15 Patch 34</td>
<td>Tin Pham aka TF1T of VietSunshine Cyber Security Services</td>
</tr>
<tr>
<td></td>
<td>Upgraded OpenSSL to 1.1.1q avoid multiple vulnerabilities.</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2022-2068 CVE-2022-2068]</td>
</tr>
<tr>
<td></td>
<td>Authentication Bypass in MailboxImportServlet.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37042 CVE-2022-37042]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
<td>High</td>
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
<td>Steven Adair and Thomas Lancaster of [https://www.volexity.com/ Volexity]</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109447 109447]</td>
<td>Proxy Servlet SSRF Vulnerability.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37041 CVE-2022-37041]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
<td>Nicolas VERDIER of onepoint</td>
</tr>
<tr>
<td></td>
<td>When using preauth, CSRF tokens are not checked on some post endpoints.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37043 CVE-2022-37043]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.7]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
<td>Telenet security team</td>
</tr>
<tr>
<td></td>
<td>Cyrus SASL package has been upgraded to version 2.1.28.</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 8.8]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2022-24407 CVE-2022-24407]</td>
</tr>
<tr>
<td></td>
<td>RXSS on '/h/search' via title parameter </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Low</td>
<td nowrap>8.8.15 Patch 33</td>
<td></td>
</tr>
<tr>
<td></td>
<td>RXSS on '/h/search' via onload parameter</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Low</td>
<td nowrap>8.8.15 Patch 33</td>
<td></td>
</tr>
<tr>
<td></td>
<td>RXSS on '/h/search' via extra parameter</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Low</td>
<td nowrap>8.8.15 Patch 33</td>
<td></td>
</tr>
<tr>
<td></td>
<td>Upgraded Log4j to v2.</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 10.0]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2021-44228 CVE-2021-44228], [https://nvd.nist.gov/vuln/detail/CVE-2021-45105 CVE-2021-45105], [https://nvd.nist.gov/vuln/detail/CVE-2019-17571 CVE-2019-17571]</td>
</tr>
<tr>
<td></td>
<td>Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability.</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td>
<td>Upstream, see [https://access.redhat.com/security/cve/cve-2022-0778 CVE-2022-0778]</td>
</tr>
<tr>
<td></td>
<td>Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage.</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2021-28165 CVE-2021-28165]</td>
</tr>
<tr>
<td></td>
<td>Upgraded mina-core to version 2.1.6.</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0231 CVE-2019-0231]</td>
</tr>
<tr>
<td></td>
<td>Memcached poisoning with unauthenticated request.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-27924 CVE-2022-27924]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 24<br />8.8.15 Patch 31</td>
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
</tr>
<tr>
<td></td>
<td>RCE through mboximport from authenticated user.</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-27925 CVE-2022-27925]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.2]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 24<br />8.8.15 Patch 31</td>
<td>Mikhail Klyuchnikov of [https://www.ptsecurity.com Positive Technologies]</td>
</tr>
<tr>
<td></td>
<td>XSS vulnerability in calendar in classic html client using /h/calendar. </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-24682 CVE-2022-24682]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Medium</td>
<td nowrap>8.8.15 Patch 30</td>
<td>Steven Adair and Thomas Lancaster of [https://www.volexity.com/ Volexity]</td>
</tr>
<tr>
<td></td>
<td>Proxy Servlet Open Redirect Vulnerability</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35209 CVE-2021-35209]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td>
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
</tr>
<tr>
<td></td>
<td>Open Redirect Vulnerability in preauth servlet</td>
<td> [https://nvd.nist.gov/vuln/detail/CVE-2021-34807 CVE-2021-34807]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Low</td>
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td>
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
</tr>
<tr>
<td></td>
<td>Stored XSS Vulnerability in ZmMailMsgView.java</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35208 CVE-2021-35208]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.4]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td>
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
</tr>
<tr>
<td></td>
<td>XSS vulnerability in Zimbra Web Client via loginErrorCode</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35207 CVE-2021-35207]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Medium</td>
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td>
<td></td>
</tr>
<tr>
<td></td>
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
<td>Critical</td>
<td>9.0.0 Patch 13</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-9641 CVE-2019-9641], [https://nvd.nist.gov/vuln/detail/CVE-2019-9640 CVE-2019-9640]</td>
</tr>
<tr>
<td></td>
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
<td>Critical</td>
<td>8.8.15 Patch 20</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-9641 CVE-2019-9641], [https://nvd.nist.gov/vuln/detail/CVE-2019-9640 CVE-2019-9640]</td>
</tr>
<tr>
<td></td>
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td>
<td>High</td>
<td>9.0.0 Patch 13</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0211 CVE-2019-0211], [https://nvd.nist.gov/vuln/detail/CVE-2019-0217 CVE-2019-0217]</td>
</tr>
<tr>
<td></td>
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td>
<td></td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td>
<td>High</td>
<td>8.8.15 Patch 20</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0211 CVE-2019-0211], [https://nvd.nist.gov/vuln/detail/CVE-2019-0217 CVE-2019-0217]</td>
</tr>
<tr>
<td></td>
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.5]</td>
<td>Medium</td>
<td>9.0.0 Patch 10</td>
<td>Primerica</td>
</tr>
<tr>
<td></td>
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.5]</td>
<td>Medium</td>
<td>8.8.15 Patch 17</td>
<td>Primerica</td>
</tr>
<tr>
<td></td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] vulnerability in tinymce</td>
<td nowrap>n/a</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Medium</td>
<td>9.0.0 Patch 5</td>
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-1010091 CVE-2019-1010091]</td>
</tr>
<tr>
<td></td>
<td>Memory Leak in nodejs library [https://github.com/sindresorhus/mem mem]</td>
<td nowrap>n/a</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.5]</td>
<td>Medium</td>
<td>9.0.0 Patch 5</td>
<td>Upstream, see [https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0236 WS-2018-0236]</td>
</tr>
<tr>
<td></td>
<td>Persistent XSS</td>
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-13653 CVE-2020-13653] </td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
<td>Minor</td>
<td>8.8.15 Patch 11<br />9.0.0 Patch 4</td>
<td>Telenet</td>
</tr>
<tr>
<td></td>
<td>Unrestricted Upload of File with Dangerous Type [https://cwe.mitre.org/data/definitions/434.html CWE-434]</td>
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-12846 CVE-2020-12846] </td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.0]</td>
<td>Minor</td>
<td>8.8.16 Patch 10<br />9.0.0 Patch 3 </td>
<td>Telenet</td>
</tr>
<tr>
<td></td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-11737 CVE-2020-11737] </td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td>
<td>Minor</td>
<td>9.0.0 Patch 2 </td>
<td>Zimbra</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109174 109174]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2019-12427 CVE-2019-12427] </td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td>
<td>Minor</td>
<td> 8.8.15 Patch 1 </td>
<td>Meridian Miftari</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109141 109141]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-15313 CVE-2019-15313]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td>
<td>Minor</td>
<td> 8.8.15 Patch 1 </td>
<td>Quang Bui</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td>
<td>Minor</td>
<td> - </td>
<td>Issam Rabhi of Sysdream</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td>
<td>Minor</td>
<td> - </td>
<td>Issam Rabhi of Sysdream</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>Minor</td>
<td> - </td>
<td>Issam Rabhi of Sysdream</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td> 8.8.12 Patch 1 </td>
<td>Mondher Smii</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td>
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td>
<td>Minor</td>
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td>
<td>An Trinh</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td>
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td>
<td>Minor</td>
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td>
<td>An Trinh</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td>
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
<td>Major</td>
<td>8.7.11 Patch10</td>
<td>Khanh Van Pham <br /> An Trinh</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td>
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td>
<td>Major</td>
<td>8.7.11 Patch9 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3 <br /> 8.8.12</td>
<td>An Trinh</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td>
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
<td>Major</td>
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1 <br /> 8.8.12</td>
<td>An Trinh</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td>
<td>Issam Rabhi of Sysdream</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td>
<td>Major</td>
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2 <br /> 8.8.11 </td>
<td>Netragard</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td>
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
<td>Minor</td>
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1 <br /> 8.8.11 </td>
<td>Issam Rabhi of Sysdream</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td>
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>8.8.10</td>
<td>Sumit Sahoo</td>
</tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td>
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
<td>Major</td>
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td>
<td>Danielle Deibler</td>
</tr>
</tr>


Line 27: Line 753:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>TBD</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.8.8 Patch7<br /> 8.8.9 Patch1</td>
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td>
<td>Diego Di Nardo</td>
<td>Diego Di Nardo</td>
</tr>
</tr>
Line 40: Line 766:
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.11 Patch4<br /> 8.8.8 Patch4</td>
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td>
<td>Diego Di Nardo</td>
<td>Diego Di Nardo</td>
</tr>
</tr>
Line 50: Line 776:
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.11 Patch3<br /> 8.8.8</td>
<td>8.7.11 Patch3 <br /> 8.8.8</td>
<td>Netragard</td>
<td>Netragard</td>
</tr>
</tr>
Line 56: Line 782:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
Line 70: Line 796:
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3<br /> 8.8.8</td>
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td>
<td>Netragard</td>
<td>Netragard</td>
</tr>
</tr>
Line 90: Line 816:
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.6.0 Patch10 <br />8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td>
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td>
<td>Stephan Kaag of Securify</td>
<td>Stephan Kaag of Securify</td>
</tr>
</tr>
Line 119: Line 845:
</td>
</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2018-10948</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br />8.8.0 Beta2</td>
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td>
<td>Lucideus <br /> Phil Pearl</td>
<td>Lucideus <br /> Phil Pearl</td>
</tr>
</tr>
Line 162: Line 888:
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td>
<td>Major</td>
<td>Major</td>
<td>8.7.6</td>
<td>8.6.0 Patch9 <br /> 8.7.6</td>
<td>Greg Solovyev</td>
<td>Greg Solovyev</td>
</tr>
</tr>
Line 168: Line 894:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td>
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td>
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Minor</td>
<td>Major</td>
<td>8.6.0 Patch10 <br /> 8.7.4</td>
<td>8.6.0 Patch10 <br /> 8.7.4</td>
<td>Alastair Gray</td>
<td>Alastair Gray</td>
Line 179: Line 905:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.1</td>
<td>8.6.0 Patch11 <br /> 8.7.1</td>
<td>Sammy Forgit</td>
<td>Sammy Forgit</td>
</tr>
</tr>
Line 190: Line 916:
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td>
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-5721</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.0</td>
<td>8.6.0 Patch11 <br /> 8.7.0</td>
<td>Secu</td>
<td>Secu</td>
</tr>
</tr>
Line 201: Line 927:
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td>
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3999</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
Line 210: Line 936:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td>
<td><!-- [http://cwe.mitre.org/data/definitions/601.html CWE-601] -->-</td>
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td>
<td>CVE-2016-4019</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
Line 221: Line 947:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td>
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td>
<td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2016-3406</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
<td>Minor</td>
<td>Minor</td>
Line 230: Line 956:


<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3407</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.0</td>
<td>8.6.0 Patch11 <br /> 8.7.0</td>
<td>Zimbra</td>
<td>Zimbra</td>
</tr>
</tr>


<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3412</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>Minor</td>
<td>Minor</td>
Line 251: Line 984:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td>
<td><!-- [http://cwe.mitre.org/data/definitions/611.html CWE-611] -->-</td>
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td>
<td>CVE-2016-3413</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.0</td>
<td>8.6.0 Patch11 <br /> 8.7.0</td>
<td>Zimbra</td>
<td>Zimbra</td>
</tr>
</tr>


<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br />
<td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td>
<td>CVE-2016-3405</td>
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
Line 271: Line 1,005:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td>
<td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2016-3404</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
Line 280: Line 1,014:


<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3410</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.0</td>
<td> 8.6.0 Patch11 <br /> 8.7.0</td>
<td>Zimbra</td>
<td>Zimbra</td>
</tr>
</tr>
Line 292: Line 1,030:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3411</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.0</td>
<td>8.6.0 Patch11 <br /> 8.7.0</td>
<td>Zimbra</td>
<td>Zimbra</td>
</tr>
</tr>
Line 302: Line 1,040:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3409</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.0</td>
<td>8.6.0 Patch11 <br /> 8.7.0</td>
<td>Peter Nguyen</td>
<td>Peter Nguyen</td>
</tr>
</tr>
Line 311: Line 1,049:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td>
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
<td>CVE-2016-3415</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>Major</td>
Line 321: Line 1,059:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td>
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
<td>n/a</td>
<td>n/a</td>
<td>7.5</td>
<td>7.5</td>
Line 332: Line 1,070:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td>
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td>
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td>
<td>CVE-2016-3414</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td>
<td>Minor</td>
<td>Minor</td>
Line 342: Line 1,080:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2016-3408</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.7.0</td>
<td>8.6.0 Patch11 <br /> 8.7.0</td>
<td>Volexity</td>
<td>Volexity</td>
</tr>
</tr>


<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br />
<td>CSRF [http://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td>
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td>
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>Major</td>
Line 361: Line 1,100:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td>
<td><!-- [http://cwe.mitre.org/data/definitions/284.html CWE-284] [http://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td>
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
<td>CVE-2016-3401</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>Minor</td>
Line 371: Line 1,110:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td>
<td><!-- [http://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td>
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td>
<td>CVE-2016-3402</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td>
<td>Minor</td>
<td>Minor</td>
Line 380: Line 1,119:


<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-7609</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td>
<td>Major</td>
<td>Major</td>
Line 390: Line 1,130:


<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-2249</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
<td>Minor</td>
<td>Minor</td>
Line 410: Line 1,154:


<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-2249</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
Line 422: Line 1,168:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
<td>CVE-2015-2230</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
<td>Minor</td>
<td>Minor</td>
Line 432: Line 1,178:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td>
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td>
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td>
<td>CVE-2014-8563</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>Major</td>
<td>8.0.9 <br /> 8.5.1<br /> 8.6.0</td>
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td>
<td>&nbsp;-</td>
<td>&nbsp;-</td>
</tr>
</tr>
Line 442: Line 1,188:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td>
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
<td>CVE-2015-6541</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>Major</td>
<td>8.5.0</td>
<td>8.5.0</td>
Line 450: Line 1,196:


<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td>
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td>
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td>
<td>CVE-2014-5500</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
<td>Minor</td>
<td>Minor</td>
<td>8.0.8 <br /> 8.5.0</td>
<td>8.0.8 <br /> 8.5.0</td>
Line 462: Line 1,211:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td>
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td>
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td>
<td>[http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td>
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>Major</td>
<td>8.5.0</td>
<td>8.5.0</td>
Line 501: Line 1,250:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td>
<td>Critical</td>
<td>Critical</td>
Line 536: Line 1,285:
<tr>
<tr>
<td style="white-space:nowrap">
<td style="white-space:nowrap">
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]
</td>
</td>
<td style="white-space:nowrap">
<td style="white-space:nowrap">
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k<br /> Upgrade to JDK 1.7u15+<br /> Upgrade to OpenSSL 1.0.1d</td>
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td>
<td>n/a</td>
<td>n/a</td>
<td>2.6</td>
<td>2.6</td>
Line 548: Line 1,300:
<tr>
<tr>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
<td>Local file inclusion via skin/branding feature [http://cwe.mitre.org/data/definitions/22.html CWE-22]</td>
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td>
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td>
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
<td>Critical</td>
<td>Critical</td>

Latest revision as of 12:30, 2 June 2023

  1. Zimbra Tech Center
  2. Security Center
  3. Zimbra Security Advisories

Zimbra Security Advisories

Overview

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

Zimbra Collaboration - Security Vulnerability Advisories

Note: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.
(going back to ZCS 7.1.3)

Bug# Summary CVE-ID CVSS
Score		 Zimbra
Rating		 Fix Release or
Patch Version		 Reporter
  A possible Cross-site Scripting (XSS) security vulnerability has been fixed CVE-2023-34192 TBD High 8.8.15 Patch 40 Skay, Noah-Lab
  As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package CVE-2023-34193 TBD Medium Daffodil 10.0.1
9.0.0 Patch 33
8.8.15 Patch 40		 Rudransh Jani of Ownux Global
  The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities CVE-2023-25690 9.8 Low Daffodil 10.0.1
9.0.0 Patch 33
8.8.15 Patch 40		 Jabetto
  Remove unused JSP file which may bypass the Preauth verification CVE-2023-29382 TBD Low Daffodil 10.0.1
9.0.0 Patch 33
8.8.15 Patch 40		 Skay, Noah-Lab
  The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability CVE-2022-46364 9.8 Low Daffodil 10.0.1
9.0.0 Patch 33
8.8.15 Patch 40		 Atos Worldline
  The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities CVE-2022-22971 CVE-2022-22970 CVE-2022-22971 5.3 Low Daffodil 10.0.1
9.0.0 Patch 33
8.8.15 Patch 40		 Stuart Williamson, Visa Digital Ticketing
  Added additional validations for 2FA login. CVE-2023-29381 TBD Medium Daffodil 10.0.1
9.0.0 Patch 33
8.8.15 Patch 40		 Technik BNV-GZ
The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities. CVE-2023-20032 9.8 High 9.0.0 Patch 31
8.8.15 Patch 38
Multiple security issues related possibility of RXSS attack related to printing messages and appointments have been fixed. CVE-2023-24031 TBD Low 9.0.0 Patch 30 Marco Ortisi
Valentin T.
The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. CVE-2023-0286 7.4 Low 9.0.0 Patch 30
8.8.15 Patch 37
Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. CVE-2023-24030 TBD Low 9.0.0 Patch 30
8.8.15 Patch 37		 Ali Dinifar
Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. CVE-2023-26562 TBD Medium 9.0.0 Patch 30
8.8.15 Patch 37
Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. CVE-2023-24032 TBD Low 9.0.0 Patch 30
8.8.15 Patch 37		 Ali Dinifar
The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability. CVE-2018-25032 7.5 Low 9.0.0 Patch 30
8.8.15 Patch 37
XSS can occur in Classic UI login page by injecting arbitrary javascript code. CVE-2022-45911 6.1 Low 9.0.0 Patch 28 National Examinations Council of Tanzania (NECTA)
RCE through ClientUploader from authenticated admin user. CVE-2022-45912 7.2 Medium 9.0.0 Patch 28
8.8.15 Patch 35		 Strio
XSS can occur via one of attribute in webmail urls, leading to information disclosure. CVE-2022-45913 6.1 Medium 9.0.0 Patch 28
8.8.15 Patch 35		 Kim Yong-Jin
The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities. CVE-2022-26377 7.5 Medium 9.0.0 Patch 28
8.8.15 Patch 35
The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities. CVE-2022-20770
CVE-2022-20771		 7.5 Low 9.0.0 Patch 28
8.8.15 Patch 35
YUI dependency is removed from WebClient and Admin Console. CVE-2013-6780 TBD Medium 9.0.0 Patch 28
80716 An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. CVE-2022-41352 9.8 Major 9.0.0 Patch 27
8.8.15 Patch 34		 Yeak Nai Siew
Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. CVE-2022-37393 7.8 Medium 9.0.0 Patch 27
8.8.15 Patch 34		 Darren Martyn
XSS can occur via one of the attribute of an IMG element, leading to information disclosure. CVE-2022-41348 6.1 Medium 9.0.0 Patch 27 Synacktiv
XSS can occur via one of attribute in search component of webmail, leading to information disclosure. CVE-2022-41350 6.1 Medium 8.8.15 Patch 34 Tin Pham aka TF1T of VietSunshine Cyber Security Services
XSS can occur via one of attribute in compose component of webmail, leading to information disclosure. CVE-2022-41349 6.1 Medium 8.8.15 Patch 34 Tin Pham aka TF1T of VietSunshine Cyber Security Services
XSS can occur via one of attribute in calendar component of webmail, leading to information disclosure. CVE-2022-41351 6.1 Medium 8.8.15 Patch 34 Tin Pham aka TF1T of VietSunshine Cyber Security Services
Upgraded OpenSSL to 1.1.1q avoid multiple vulnerabilities. 9.8 Low 9.0.0 Patch 26
8.8.15 Patch 33		 Upstream, see CVE-2022-2068
Authentication Bypass in MailboxImportServlet. CVE-2022-37042 9.8 High 9.0.0 Patch 26
8.8.15 Patch 33		 Steven Adair and Thomas Lancaster of Volexity
109447 Proxy Servlet SSRF Vulnerability. CVE-2022-37041 7.5 Low 9.0.0 Patch 26
8.8.15 Patch 33		 Nicolas VERDIER of onepoint
When using preauth, CSRF tokens are not checked on some post endpoints. CVE-2022-37043 5.7 Low 9.0.0 Patch 26
8.8.15 Patch 33		 Telenet security team
Cyrus SASL package has been upgraded to version 2.1.28. 8.8 Low 9.0.0 Patch 26
8.8.15 Patch 33		 Upstream, see CVE-2022-24407
RXSS on '/h/search' via title parameter CVE-2022-37044 6.1 Low 8.8.15 Patch 33
RXSS on '/h/search' via onload parameter CVE-2022-37044 6.1 Low 8.8.15 Patch 33
RXSS on '/h/search' via extra parameter CVE-2022-37044 6.1 Low 8.8.15 Patch 33
Upgraded Log4j to v2. 10.0 Low 9.0.0 Patch 25
8.8.15 Patch 32		 Upstream, see CVE-2021-44228, CVE-2021-45105, CVE-2019-17571
Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. 7.5 Low 9.0.0 Patch 25
8.8.15 Patch 32		 Upstream, see CVE-2022-0778
Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. 7.5 Low 9.0.0 Patch 25
8.8.15 Patch 32		 Upstream, see CVE-2021-28165
Upgraded mina-core to version 2.1.6. 7.5 Low 9.0.0 Patch 25
8.8.15 Patch 32		 Upstream, see CVE-2019-0231
Memcached poisoning with unauthenticated request. CVE-2022-27924 7.5 Medium 9.0.0 Patch 24
8.8.15 Patch 31		 Simon Scannell of Sonarsource
RCE through mboximport from authenticated user. CVE-2022-27925 7.2 Medium 9.0.0 Patch 24
8.8.15 Patch 31		 Mikhail Klyuchnikov of Positive Technologies
XSS vulnerability in calendar in classic html client using /h/calendar. CVE-2022-24682 6.1 Medium 8.8.15 Patch 30 Steven Adair and Thomas Lancaster of Volexity
Proxy Servlet Open Redirect Vulnerability CVE-2021-35209 9.8 Medium 9.0.0 Patch 16
8.8.15 Patch 23		 Simon Scannell of Sonarsource
Open Redirect Vulnerability in preauth servlet CVE-2021-34807 6.1 Low 9.0.0 Patch 16
8.8.15 Patch 23		 Simon Scannell of Sonarsource
Stored XSS Vulnerability in ZmMailMsgView.java CVE-2021-35208 5.4 Medium 9.0.0 Patch 16
8.8.15 Patch 23		 Simon Scannell of Sonarsource
XSS vulnerability in Zimbra Web Client via loginErrorCode CVE-2021-35207 6.1 Medium 9.0.0 Patch 16
8.8.15 Patch 23
Heap-based buffer overflow vulnerabilities in PHP < 7.3.10 9.8 Critical 9.0.0 Patch 13 Upstream, see CVE-2019-9641, CVE-2019-9640
Heap-based buffer overflow vulnerabilities in PHP < 7.3.10 9.8 Critical 8.8.15 Patch 20 Upstream, see CVE-2019-9641, CVE-2019-9640
Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. 7.8 High 9.0.0 Patch 13 Upstream, see CVE-2019-0211, CVE-2019-0217
Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. 7.8 High 8.8.15 Patch 20 Upstream, see CVE-2019-0211, CVE-2019-0217
XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition) CVE-2020-35123 6.5 Medium 9.0.0 Patch 10 Primerica
XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition) CVE-2020-35123 6.5 Medium 8.8.15 Patch 17 Primerica
XSS CWE-79 vulnerability in tinymce n/a 6.1 Medium 9.0.0 Patch 5 Upstream, see CVE-2019-1010091
Memory Leak in nodejs library mem n/a 5.5 Medium 9.0.0 Patch 5 Upstream, see WS-2018-0236
Persistent XSS CVE-2020-13653 6.1 Minor 8.8.15 Patch 11
9.0.0 Patch 4		 Telenet
Unrestricted Upload of File with Dangerous Type CWE-434 CVE-2020-12846 6.0 Minor 8.8.16 Patch 10
9.0.0 Patch 3 		Telenet
Persistent XSS CWE-79 CVE-2020-11737 4.3 Minor 9.0.0 Patch 2 Zimbra
109174 Non-Persistent XSS CWE-79 CVE-2019-12427 4.3 Minor 8.8.15 Patch 1 Meridian Miftari
109141 Non-Persistent XSS CWE-79 CVE-2019-15313 4.3 Minor 8.8.15 Patch 1 Quang Bui
109124 Non-Persistent XSS CWE-79 CVE-2019-8947 2.6 Minor - Issam Rabhi of Sysdream
109123 Persistent XSS CWE-79 CVE-2019-8946 2.6 Minor - Issam Rabhi of Sysdream
109122 Persistent XSS CWE-79 CVE-2019-8945 3.5 Minor - Issam Rabhi of Sysdream
109117 Persistent XSS CWE-79 CVE-2019-11318 3.5 Minor 8.8.12 Patch 1 Mondher Smii
109127 SSRF CWE-918 / CWE-807 CVE-2019-9621 4.0 Minor 8.7.11 Patch11
8.8.9 Patch10
8.8.10 Patch8
8.8.11 Patch4
8.8.12 		An Trinh
109096 Blind SSRF CWE-918 CVE-2019-6981 4.0 Minor 8.7.11 Patch11
8.8.9 Patch10
8.8.10 Patch8
8.8.11 Patch4
8.8.12 		An Trinh
109129 XXE CWE-611
(8.7.x only)		 CVE-2019-9670 6.4 Major 8.7.11 Patch10 Khanh Van Pham
An Trinh
109097 Insecure object deserialization CWE-502 CVE-2019-6980 5.4 Major 8.7.11 Patch9
8.8.9 Patch10
8.8.10 Patch7
8.8.11 Patch3
8.8.12		 An Trinh
109093 XXE CWE-611 CVE-2018-20160 6.4 Major 8.7.x see 109129 above
8.8.9 Patch9
8.8.10 Patch5
8.8.11 Patch1
8.8.12		 An Trinh
109017 Non-Persistent XSS CWE-79 CVE-2018-14013 4.3 Minor 8.7.11 Patch8
8.8.9 Patch9
8.8.10 Patch5
8.8.11 		Issam Rabhi of Sysdream
109020 Persistent XSS CWE-79 CVE-2018-18631 5.0 Major 8.7.11 Patch7
8.8.9 Patch7
8.8.10 Patch2
8.8.11 		Netragard
109018 Non-Persistent CWE-79 CVE-2018-14013 2.6 Minor 8.7.11 Patch7
8.8.9 Patch6
8.8.10 Patch1
8.8.11 		Issam Rabhi of Sysdream
109021 Limited Content Spoofing CWE-345 CVE-2018-17938 4.3 Minor 8.8.10 Sumit Sahoo
109012 Account Enumeration CWE-203 CVE-2018-15131 5.0 Major 8.7.11 Patch6
8.8.8 Patch9
8.8.9 Patch3		 Danielle Deibler
108970 Persistent XSS CWE-79 CVE-2018-14425 3.5 Minor 8.8.8 Patch7
8.8.9 Patch1		 Diego Di Nardo
108902 Persistent XSS CWE-79 CVE-2018-10939 3.5 Minor 8.6.0 Patch11
8.7.11 Patch4
8.8.8 Patch4		 Diego Di Nardo
108963 Verbose Error Messages CWE-209 CVE-2018-10950 3.5 Minor 8.7.11 Patch3
8.8.8		 Netragard
108962 Account Enumeration CWE-203 CVE-2018-10949 5.0 Major 8.7.11 Patch3
8.8.8		 Netragard
108894 Persistent XSS CWE-199 CVE-2018-10951 3.6 Minor 8.6.0 Patch10
8.7.11 Patch3
8.8.8		 Netragard
97579 CSRF CWE-352 CVE-2015-7610 5.8 Major 8.6.0 Patch10
8.7.11 Patch2
8.8.8 Patch1		 Fortinet's FortiGuard Labs
108786 Persistent XSS CWE-79 CVE-2018-6882 4.3 Minor 8.6.0 Patch10
8.7.11 Patch1
8.8.7
8.8.8		 Stephan Kaag of Securify
108265 Persistent XSS CWE-79 CVE-2017-17703 4.3 Minor 8.6.0 Patch9
8.7.11 Patch1
8.8.3		 Veit Hailperin
107963 Host header injection CWE-20 - 4.3 Minor 8.8.0 Beta2 -
107948

107949

Persistent XSS CWE-79 CVE-2018-10948 3.5 Minor 8.6.0 Patch10
8.7.11 Patch3
8.8.0 Beta2		 Lucideus
Phil Pearl
107925 Persistent XSS - snippet CWE-79 CVE-2017-8802 3.5 Minor 8.6.0 Patch9
8.7.11 Patch1
8.8.0 Beta2		 Compass Security
107878 Persistent XSS - location CWE-79 CVE-2017-8783 4.0 Minor 8.7.10 Stephan Kaag of Securify
107712 Improper limitation of file paths CWE-22 CVE-2017-6821 4.0 Minor 8.7.6 Greg Solovyev, Phil Pearl
107684 Improper handling of privileges CWE-280 CVE-2017-6813 4.0 Major 8.6.0 Patch9
8.7.6		 Greg Solovyev
106811 XXE CWE-611 CVE-2016-9924 5.8 Major 8.6.0 Patch10
8.7.4		 Alastair Gray
106612 Persistent XSS CWE-79 CVE-2017-7288 4.3 Minor 8.6.0 Patch11
8.7.1		 Sammy Forgit
105001
105174		 XSS CWE-79 CVE-2016-5721 4.3
2.1		 Minor 8.6.0 Patch11
8.7.0		 Secu
104552
104703		 XSS CWE-79 CVE-2016-3999 4.3 Minor 8.7.0 Nam Habach
104477 Open Redirect CWE-601 CVE-2016-4019 4.3 Minor 8.7.0 Zimbra
104294
104456		 CSRF CWE-352 CVE-2016-3406 2.6 Minor 8.6.0 Patch8
8.7.0		 Zimbra
104222

104910
105071

105175		 XSS CWE-79 CVE-2016-3407 4.3
3.5
4.3
2.1		 Minor 8.6.0 Patch11
8.7.0		 Zimbra
103997

104413
104414
104777

104791		 XSS CWE-79 CVE-2016-3412 3.5 Minor 8.7.0 Zimbra
103996 XXE (Admin) CWE-611- CVE-2016-3413 2.6 Minor 8.6.0 Patch11
8.7.0		 Zimbra
103961
104828		 CSRF CWE-352 CVE-2016-3405 4.3 Minor 8.6.0 Patch8
8.7.0		 Zimbra
103959 CSRF CWE-352 CVE-2016-3404 4.3 Minor 8.6.0 Patch8
8.7.0		 Zimbra
103956

103995
104475
104838

104839		 XSS CWE-79 CVE-2016-3410 4.3 Minor 8.6.0 Patch11
8.7.0		 Zimbra
103609 XSS CWE-79 CVE-2016-3411 3.5 Minor 8.6.0 Patch11
8.7.0		 Zimbra
102637 XSS CWE-79 CVE-2016-3409 4.3 Minor 8.6.0 Patch11
8.7.0		 Peter Nguyen
102276 Deserialization of Untrusted Data CWE-502 CVE-2016-3415 5.8 Major 8.7.0 Zimbra
102227 Deserialization of Untrusted Data CWE-502 n/a 7.5 Major 8.7.0 Upstream, see
CVE-2015-4852
102029 CWE-674 CVE-2016-3414 4.0 Minor 8.6.0 Patch7
8.7.0		 Zimbra
101813 XSS CWE-79 CVE-2016-3408 4.3 Minor 8.6.0 Patch11
8.7.0		 Volexity
100885
100899		 CSRF CWE-352 CVE-2016-3403 5.8 Major 8.6.0 Patch8
8.7.0		 Sysdream
99810 CWE-284 CWE-203 CVE-2016-3401 3.5 Minor 8.7.0 Zimbra
99167 Account Enumeration CWE-203 CVE-2016-3402 2.6 Minor 8.7.0 Zimbra
101435
101436		 Persistent XSS CWE-79 CVE-2015-7609 6.4
2.3		 Major 8.6.0 Patch5
8.7.0		 Fortinet's FortiGuard Labs
101559

100133
99854
99914

96973		 XSS CWE-79 CVE-2015-2249 3.5 Minor 8.6.0 Patch5
8.7.0		 Zimbra
99236 XSS Vuln in YUI components in ZCS n/a 4.3 Minor 8.6.0 Patch5 Upstream, see
CVE-2012-5881
CVE-2012-5882
CVE-2012-5883
98358

98216

98215		 Non-Persistent XSS CWE-79 CVE-2015-2249 4.3 Minor 8.6.0 Patch2
8.7.0		 Cure53
97625 Non-Persistent XSS CWE-79 CVE-2015-2230 3.5 Minor 8.6.0 Patch2 MWR InfoSecurity
96105 Improper Input Validation CWE-20 CVE-2014-8563 5.8 Major 8.0.9
8.5.1
8.6.0		  -
83547 CSRF Vulnerability CWE-352 CVE-2015-6541 5.8 Major 8.5.0 iSEC Partners, Sysdream
87412

92825
92833

92835		 XSS Vulnerabilities CWE-79
(8.0.7 Patch
contains 87412)		 CVE-2014-5500 4.3 Minor 8.0.8
8.5.0		  -
83550 Session Fixation CWE-384 CVE-2013-5119 5.8 Major 8.5.0
91484 Patch ZCS8 OpenSSL for CVE-2014-0224 n/a 6.8 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch		 Upstream, see
CVE-2014-0224
88708 Patch ZCS8 OpenSSL for CVE-2014-0160 n/a 5.0 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
8.0.7		 Upstream, see
CVE-2014-0160
85499 Upgrade to OpenSSL 1.0.1f n/a 4.3
4.3
5.8		 Major 8.0.7 Upstream, see
CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
84547 XXE CWE-611 CVE-2013-7217 6.4
(not 10.0)		 Critical 7.2.2_Patch3
7.2.3_Patch
7.2.4_Patch2
7.2.5_Patch
7.2.6
8.0.3_Patch3
8.0.4_Patch2
8.0.5_Patch
8.0.6		 Private
85478 XSS vulnerability in message view - 6.4 Major 8.0.7 Alban Diquet
of iSEC Partners
85411 Local root privilege escalation - 6.2 Major 8.0.7 Matthew David
85000 Patch nginx for CVE-2013-4547 n/a 7.5 Major 7.2.7
8.0.7		 Upstream, see
CVE-2013-4547

80450
80131
80445
80132

Upgrade to JDK 1.6 u41
Upgrade OpenSSL to 1.0.0k
Upgrade to JDK 1.7u15+
Upgrade to OpenSSL 1.0.1d		 n/a 2.6 Minor 7.2.3
7.2.3
8.0.3
8.0.3		 Upstream, see
CVE-2013-0169
80338 Local file inclusion via skin/branding feature CWE-22 CVE-2013-7091 5.0 Critical 6.0.16_Patch
7.1.1_Patch6
7.1.3_Patch3
7.2.2_Patch2
7.2.3
8.0.2_Patch
8.0.3		 Private
77655 Separate keystore for CAs used for X509 authentication - 5.8 Major 8.0.7 Private
75424 Upgrade to Clamav 0.97.5 n/a 4.3
4.3
4.3		 Minor 7.2.1 Upstream, see
CVE-2012-1457
CVE-2012-1458
CVE-2012-1459
64981 Do not allow HTTP GET for login - 6.8 Major 7.1.3_Patch
7.1.4		 Private

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Other Help Resources

Visit the User Help Page »
Visit the Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »


Retrieved from "http://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&oldid=69825"
Jump to: navigation, search