Zimbra Security Advisories: Difference between revisions
(Added 109141 - fixed in 8.8.15 P1 (CVE-ID TBD) ; Added CVE-2019-12427 to 109174) |
|||
(72 intermediate revisions by 8 users not shown) | |||
Line 4: | Line 4: | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
<div class="col-md-9"> | <div class="col-md-9"> | ||
<p> | |||
<h3>How to stay informed about security announcements?</h3> | |||
You could manually check this page: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories | |||
And/or subscribe to the these RSS feeds (you can use Zimbra Classic UI or some other feedreader like r2e on Linux): | |||
<ul> | |||
<li>https://wiki.zimbra.com/security-advisory-feed.php (no details, can be used for security notification purposes)</li> | |||
<li>https://blog.zimbra.com/feed/ (includes patches and security news with details and other news)</li> | |||
</ul> | |||
And subscribe to the Zeta Alliance mailing lists: | |||
https://lists.zetalliance.org/mailman/listinfo/users_lists.zetalliance.org | |||
<br><br> | |||
</p> | |||
===Overview=== | ===Overview=== | ||
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, | <p> | ||
The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, update Zimbra using your yum update or apt update. Download the latest version of our software:</p> | |||
<ul> | <ul> | ||
<li> | <li>https://www.zimbra.com/product/download/</li> | ||
</ul> | </ul> | ||
===Zimbra Collaboration - Security Vulnerability Advisories=== | ===Zimbra Collaboration - Security Vulnerability Advisories=== | ||
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p> | <p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p> | ||
Line 22: | Line 36: | ||
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix Release or <br />Patch Version</span></th> | <th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix Release or <br />Patch Version</span></th> | ||
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th> | <th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th> | ||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>SMTP Smuggling vulnerability Patched</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-51764 CVE-2023-51764]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-51764&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N&version=3.1&source=NIST 5.3]</td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 40 | |||
10.0.8</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Upgraded PHP to 8.3.0 to fix allocated memory vulnerability</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-21708 CVE-2021-21708]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-21708&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST 9.8]</td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 40 | |||
10.0.8</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>An XSS vulnerability was observed due to the execution of malicious JavaScript code from an externally shared file via non-sanitized parameter</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2024-33536 CVE-2024-33536]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 40 | |||
10.0.8</td> | |||
<td> Netragard </td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Unauthenticated Local File Inclusion in zimbraAdmin interface via "packages" parameter</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2024-33535 CVE-2024-33535]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 40 | |||
10.0.8</td> | |||
<td> Netragard </td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Addressed XSS vulnerability in zimbraAdmin interface due to non sanitised parameter</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2024-33533 CVE-2024-33533]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 40 | |||
10.0.8</td> | |||
<td> Netragard </td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Nginx has been upgraded to version 1.24.0 to fix multiple vulnerabilities</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41741 CVE-2022-41741] [https://nvd.nist.gov/vuln/detail/CVE-2022-41742 CVE-2022-41742]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-41741&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST 7.8]</td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 39 | |||
10.0.7</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>An XSS vulnerability in a Calendar invite has been resolved</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2024-27443 CVE-2024-27443]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 39 | |||
10.0.7</td> | |||
<td>nhiephon, chung96vn, SPT from NCSC Vietnam</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Local Privilege Escalation vulnerability Patched</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2024-27442 CVE-2024-27442]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 39 | |||
10.0.7</td> | |||
<td>ZDI</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-21930 CVE-2023-21930] [https://nvd.nist.gov/vuln/detail/CVE-2022-21476 CVE-2022-21476] [https://nvd.nist.gov/vuln/detail/CVE-2022-21449 CVE-2022-21449]</td> | |||
<td> High </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 38 | |||
8.8.15 Patch 45 | |||
10.0.6</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Fixed a vulnerability where an auth token was possible to be obtained. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-48432 CVE-2023-48432]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 38 | |||
8.8.15 Patch 45 | |||
10.0.6</td> | |||
<td>Nguyễn Khắc Huy</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. </td> | |||
<td>TBD</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 38 | |||
8.8.15 Patch 45 | |||
10.0.6</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. </td> | |||
<td>TBD</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 38 | |||
10.0.6</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>A security related issue has been fixed to prevent javascript injection through help files. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2007-1280 CVE-2007-1280]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 37 | |||
8.8.15 Patch 44 | |||
10.0.5</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2020-7746 CVE-2020-7746]</td> | |||
<td> High </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 37 | |||
8.8.15 Patch 44 | |||
10.0.5</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-45207 CVE-2023-45207]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 37 | |||
8.8.15 Patch 44 | |||
10.0.5</td> | |||
<td>Ramin: https://twitter.com/realraminfp, https://github.com/raminfp</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-45206 CVE-2023-45206]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 37 | |||
8.8.15 Patch 44 | |||
10.0.5</td> | |||
<td>Aviva Lietuva, UAGDPB</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>XSS on one of the web endpoint via non sanitised input parameter. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-43103 CVE-2023-43103]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 36 | |||
8.8.15 Patch 43 | |||
10.0.4</td> | |||
<td>Sk4nd4 : https://twitter.com/Sk4nd4</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>An attacker can gain access of logged-in user’s mailbox through XSS. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-43102 CVE-2023-43102]</td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 36 | |||
8.8.15 Patch 43 | |||
10.0.4</td> | |||
<td>Florian Klaar</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-41106 CVE-2023-41106]</td> | |||
<td> [https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 8.8] </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 35 | |||
8.8.15 Patch 42 | |||
10.0.3</td> | |||
<td>Sk4nd4 : https://twitter.com/Sk4nd4</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>A cross-site scripting (XSS) vulnerability that was present in the in the Zimbra Classic Web Client has been addressed. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-37580 CVE-2023-37580]</td> | |||
<td> [https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1] </td> | |||
<td> - </td> | |||
<td nowrap>8.8.15 Patch 41</td> | |||
<td>Clement Lecigne, Google’s Threat Analysis Group</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-0464 CVE-2023-0464]</td> | |||
<td> [https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5] </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 34<br />8.8.15 Patch 41<br />10.0.2</td> | |||
<td> </td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>The Amavis package has been upgraded to 2.13.0 version. </td> | |||
<td> TBD </td> | |||
<td> TBD </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 34<br />8.8.15 Patch 41<br />10.0.2</td> | |||
<td> </td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>A bug that could lead to exposure of internal JSP and XML files has been fixed. </td> | |||
<td> [https://nvd.nist.gov/vuln/detail/CVE-2023-38750 CVE-2023-38750] </td> | |||
<td> [https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5] </td> | |||
<td> - </td> | |||
<td nowrap>9.0.0 Patch 34<br />8.8.15 Patch 41<br />10.0.2</td> | |||
<td> </td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>A possible Cross-site Scripting (XSS) security vulnerability has been fixed </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-34192 CVE-2023-34192]</td> | |||
<td> [https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.0] </td> | |||
<td> High</td> | |||
<td nowrap>8.8.15 Patch 40</td> | |||
<td>Skay, Noah-Lab</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-34193 CVE-2023-34193]</td> | |||
<td> [https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 8.9] </td> | |||
<td> Medium </td> | |||
<td nowrap>Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td> | |||
<td>Rudransh Jani of Ownux Global</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-25690 CVE-2023-25690]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td> Low</td> | |||
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td> | |||
<td>Jabetto</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Remove unused JSP file which may bypass the Preauth verification </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-29382 CVE-2023-29382]</td> | |||
<td> [https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8] </td> | |||
<td> Low</td> | |||
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td> | |||
<td>Skay, Noah-Lab</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-46364 CVE-2022-46364]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td> Low</td> | |||
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td> | |||
<td>Atos Worldline</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-22970 CVE-2022-22971 CVE-2022-22970 CVE-2022-22971]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.3]</td> | |||
<td> Low</td> | |||
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td> | |||
<td>Stuart Williamson, Visa Digital Ticketing</td> | |||
</tr> | |||
<tr> | |||
<td> </td> | |||
<td>Added additional validations for 2FA login. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-29381 CVE-2023-29381]</td> | |||
<td> [https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8] </td> | |||
<td> Medium</td> | |||
<td nowrap> Daffodil 10.0.1<br />9.0.0 Patch 33<br />8.8.15 Patch 40</td> | |||
<td>Technik BNV-GZ</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-20032 CVE-2023-20032]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>High</td> | |||
<td nowrap>9.0.0 Patch 31<br />8.8.15 Patch 38</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Multiple security issues related possibility of RXSS attack related to printing messages and appointments have been fixed.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-24031 CVE-2023-24031]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 30</td> | |||
<td> Marco Ortisi <br /> Valentin T.</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-0286 CVE-2023-0286]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.4]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-24030 CVE-2023-24030]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td> | |||
<td>Ali Dinifar</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-26562 CVE-2023-26562]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2023-24032 CVE-2023-24032]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td> | |||
<td>Ali Dinifar</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-25032 CVE-2018-25032]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 30<br />8.8.15 Patch 37</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS can occur in Classic UI login page by injecting arbitrary javascript code.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-45911 CVE-2022-45911]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 28</td> | |||
<td>National Examinations Council of Tanzania (NECTA)</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>RCE through ClientUploader from authenticated admin user.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-45912 CVE-2022-45912]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.2]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 28<br />8.8.15 Patch 35</td> | |||
<td>Strio</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS can occur via one of attribute in webmail urls, leading to information disclosure.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-45913 CVE-2022-45913]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 28<br />8.8.15 Patch 35</td> | |||
<td>Kim Yong-Jin </td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-26377 CVE-2022-26377]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 28<br />8.8.15 Patch 35</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-20770 CVE-2022-20770] <br />[https://nvd.nist.gov/vuln/detail/CVE-2022-20771 CVE-2022-20771]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 28<br />8.8.15 Patch 35</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>YUI dependency is removed from WebClient and Admin Console.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-6780 CVE-2013-6780]</td> | |||
<td>TBD</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 28</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80716 80716]</td> | |||
<td>An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41352 CVE-2022-41352]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>Major</td> | |||
<td nowrap>9.0.0 Patch 27<br />8.8.15 Patch 34</td> | |||
<td>Yeak Nai Siew</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37393 CVE-2022-37393]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 27<br />8.8.15 Patch 34</td> | |||
<td>Darren Martyn</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS can occur via one of the attribute of an IMG element, leading to information disclosure.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41348 CVE-2022-41348]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 27</td> | |||
<td>Synacktiv</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS can occur via one of attribute in search component of webmail, leading to information disclosure.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41350 CVE-2022-41350]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td nowrap>8.8.15 Patch 34</td> | |||
<td>Tin Pham aka TF1T of VietSunshine Cyber Security Services</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS can occur via one of attribute in compose component of webmail, leading to information disclosure.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41349 CVE-2022-41349]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td nowrap>8.8.15 Patch 34</td> | |||
<td>Tin Pham aka TF1T of VietSunshine Cyber Security Services</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS can occur via one of attribute in calendar component of webmail, leading to information disclosure.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-41351 CVE-2022-41351]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td nowrap>8.8.15 Patch 34</td> | |||
<td>Tin Pham aka TF1T of VietSunshine Cyber Security Services</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded OpenSSL to 1.1.1q avoid multiple vulnerabilities.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2022-2068 CVE-2022-2068]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Authentication Bypass in MailboxImportServlet.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37042 CVE-2022-37042]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>High</td> | |||
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td> | |||
<td>Steven Adair and Thomas Lancaster of [https://www.volexity.com/ Volexity]</td> | |||
</tr> | |||
<tr> | |||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109447 109447]</td> | |||
<td>Proxy Servlet SSRF Vulnerability.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37041 CVE-2022-37041]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td> | |||
<td>Nicolas VERDIER of onepoint</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>When using preauth, CSRF tokens are not checked on some post endpoints.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37043 CVE-2022-37043]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.7]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td> | |||
<td>Telenet security team</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Cyrus SASL package has been upgraded to version 2.1.28.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 8.8]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2022-24407 CVE-2022-24407]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>RXSS on '/h/search' via title parameter </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Low</td> | |||
<td nowrap>8.8.15 Patch 33</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>RXSS on '/h/search' via onload parameter</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Low</td> | |||
<td nowrap>8.8.15 Patch 33</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>RXSS on '/h/search' via extra parameter</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Low</td> | |||
<td nowrap>8.8.15 Patch 33</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded Log4j to v2.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 10.0]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2021-44228 CVE-2021-44228], [https://nvd.nist.gov/vuln/detail/CVE-2021-45105 CVE-2021-45105], [https://nvd.nist.gov/vuln/detail/CVE-2019-17571 CVE-2019-17571]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td> | |||
<td>Upstream, see [https://access.redhat.com/security/cve/cve-2022-0778 CVE-2022-0778]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2021-28165 CVE-2021-28165]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded mina-core to version 2.1.6.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0231 CVE-2019-0231]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Memcached poisoning with unauthenticated request.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-27924 CVE-2022-27924]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 24<br />8.8.15 Patch 31</td> | |||
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>RCE through mboximport from authenticated user.</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-27925 CVE-2022-27925]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.2]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 24<br />8.8.15 Patch 31</td> | |||
<td>Mikhail Klyuchnikov of [https://www.ptsecurity.com Positive Technologies]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS vulnerability in calendar in classic html client using /h/calendar. </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-24682 CVE-2022-24682]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td nowrap>8.8.15 Patch 30</td> | |||
<td>Steven Adair and Thomas Lancaster of [https://www.volexity.com/ Volexity]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Proxy Servlet Open Redirect Vulnerability</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35209 CVE-2021-35209]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td> | |||
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Open Redirect Vulnerability in preauth servlet</td> | |||
<td> [https://nvd.nist.gov/vuln/detail/CVE-2021-34807 CVE-2021-34807]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Low</td> | |||
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td> | |||
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Stored XSS Vulnerability in ZmMailMsgView.java</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35208 CVE-2021-35208]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.4]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td> | |||
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS vulnerability in Zimbra Web Client via loginErrorCode</td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35207 CVE-2021-35207]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>Critical</td> | |||
<td>9.0.0 Patch 13</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-9641 CVE-2019-9641], [https://nvd.nist.gov/vuln/detail/CVE-2019-9640 CVE-2019-9640]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td> | |||
<td>Critical</td> | |||
<td>8.8.15 Patch 20</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-9641 CVE-2019-9641], [https://nvd.nist.gov/vuln/detail/CVE-2019-9640 CVE-2019-9640]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td> | |||
<td>High</td> | |||
<td>9.0.0 Patch 13</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0211 CVE-2019-0211], [https://nvd.nist.gov/vuln/detail/CVE-2019-0217 CVE-2019-0217]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td> | |||
<td></td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td> | |||
<td>High</td> | |||
<td>8.8.15 Patch 20</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0211 CVE-2019-0211], [https://nvd.nist.gov/vuln/detail/CVE-2019-0217 CVE-2019-0217]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td> | |||
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.5]</td> | |||
<td>Medium</td> | |||
<td>9.0.0 Patch 10</td> | |||
<td>Primerica</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td> | |||
<td>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.5]</td> | |||
<td>Medium</td> | |||
<td>8.8.15 Patch 17</td> | |||
<td>Primerica</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] vulnerability in tinymce</td> | |||
<td nowrap>n/a</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Medium</td> | |||
<td>9.0.0 Patch 5</td> | |||
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-1010091 CVE-2019-1010091]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Memory Leak in nodejs library [https://github.com/sindresorhus/mem mem]</td> | |||
<td nowrap>n/a</td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.5]</td> | |||
<td>Medium</td> | |||
<td>9.0.0 Patch 5</td> | |||
<td>Upstream, see [https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0236 WS-2018-0236]</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Persistent XSS</td> | |||
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-13653 CVE-2020-13653] </td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td> | |||
<td>Minor</td> | |||
<td>8.8.15 Patch 11<br />9.0.0 Patch 4</td> | |||
<td>Telenet</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Unrestricted Upload of File with Dangerous Type [https://cwe.mitre.org/data/definitions/434.html CWE-434]</td> | |||
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-12846 CVE-2020-12846] </td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.0]</td> | |||
<td>Minor</td> | |||
<td>8.8.16 Patch 10<br />9.0.0 Patch 3 </td> | |||
<td>Telenet</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | |||
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-11737 CVE-2020-11737] </td> | |||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td> | |||
<td>Minor</td> | |||
<td>9.0.0 Patch 2 </td> | |||
<td>Zimbra</td> | |||
</tr> | </tr> | ||
Line 37: | Line 877: | ||
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109141 109141]</td> | <td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109141 109141]</td> | ||
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | <td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td> | ||
<td nowrap> | <td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-15313 CVE-2019-15313]</td> | ||
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td> | <td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td> | ||
<td>Minor</td> | <td>Minor</td> |
Latest revision as of 08:02, 24 April 2024
Zimbra Security Advisories
How to stay informed about security announcements?
You could manually check this page: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
And/or subscribe to the these RSS feeds (you can use Zimbra Classic UI or some other feedreader like r2e on Linux):
- https://wiki.zimbra.com/security-advisory-feed.php (no details, can be used for security notification purposes)
- https://blog.zimbra.com/feed/ (includes patches and security news with details and other news)
And subscribe to the Zeta Alliance mailing lists:
https://lists.zetalliance.org/mailman/listinfo/users_lists.zetalliance.org
Overview
The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, update Zimbra using your yum update or apt update. Download the latest version of our software:
Zimbra Collaboration - Security Vulnerability Advisories
Note: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.
(going back to ZCS 7.1.3)
Bug# | Summary | CVE-ID | CVSS Score |
Zimbra Rating |
Fix Release or Patch Version |
Reporter |
---|---|---|---|---|---|---|
SMTP Smuggling vulnerability Patched | CVE-2023-51764 | 5.3 | - | 9.0.0 Patch 40 10.0.8 | ||
Upgraded PHP to 8.3.0 to fix allocated memory vulnerability | CVE-2021-21708 | 9.8 | - | 9.0.0 Patch 40 10.0.8 | ||
An XSS vulnerability was observed due to the execution of malicious JavaScript code from an externally shared file via non-sanitized parameter | CVE-2024-33536 | TBD | - | 9.0.0 Patch 40 10.0.8 | Netragard | |
Unauthenticated Local File Inclusion in zimbraAdmin interface via "packages" parameter | CVE-2024-33535 | TBD | - | 9.0.0 Patch 40 10.0.8 | Netragard | |
Addressed XSS vulnerability in zimbraAdmin interface due to non sanitised parameter | CVE-2024-33533 | TBD | - | 9.0.0 Patch 40 10.0.8 | Netragard | |
Nginx has been upgraded to version 1.24.0 to fix multiple vulnerabilities | CVE-2022-41741 CVE-2022-41742 | 7.8 | - | 9.0.0 Patch 39 10.0.7 | ||
An XSS vulnerability in a Calendar invite has been resolved | CVE-2024-27443 | TBD | - | 9.0.0 Patch 39 10.0.7 | nhiephon, chung96vn, SPT from NCSC Vietnam | |
Local Privilege Escalation vulnerability Patched | CVE-2024-27442 | TBD | - | 9.0.0 Patch 39 10.0.7 | ZDI | |
OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. | CVE-2023-21930 CVE-2022-21476 CVE-2022-21449 | High | - | 9.0.0 Patch 38
8.8.15 Patch 45 10.0.6 |
||
Fixed a vulnerability where an auth token was possible to be obtained. | CVE-2023-48432 | TBD | - | 9.0.0 Patch 38
8.8.15 Patch 45 10.0.6 |
Nguyễn Khắc Huy | |
Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. | TBD | TBD | - | 9.0.0 Patch 38
8.8.15 Patch 45 10.0.6 |
||
Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. | TBD | TBD | - | 9.0.0 Patch 38 10.0.6 | ||
A security related issue has been fixed to prevent javascript injection through help files. | CVE-2007-1280 | TBD | - | 9.0.0 Patch 37
8.8.15 Patch 44 10.0.5 |
||
A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. | CVE-2020-7746 | High | - | 9.0.0 Patch 37
8.8.15 Patch 44 10.0.5 |
||
An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. | CVE-2023-45207 | TBD | - | 9.0.0 Patch 37
8.8.15 Patch 44 10.0.5 |
Ramin: https://twitter.com/realraminfp, https://github.com/raminfp | |
Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. | CVE-2023-45206 | TBD | - | 9.0.0 Patch 37
8.8.15 Patch 44 10.0.5 |
Aviva Lietuva, UAGDPB | |
XSS on one of the web endpoint via non sanitised input parameter. | CVE-2023-43103 | TBD | - | 9.0.0 Patch 36
8.8.15 Patch 43 10.0.4 |
Sk4nd4 : https://twitter.com/Sk4nd4 | |
An attacker can gain access of logged-in user’s mailbox through XSS. | CVE-2023-43102 | TBD | - | 9.0.0 Patch 36
8.8.15 Patch 43 10.0.4 |
Florian Klaar | |
Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. | CVE-2023-41106 | 8.8 | - | 9.0.0 Patch 35
8.8.15 Patch 42 10.0.3 |
Sk4nd4 : https://twitter.com/Sk4nd4 | |
A cross-site scripting (XSS) vulnerability that was present in the in the Zimbra Classic Web Client has been addressed. | CVE-2023-37580 | 6.1 | - | 8.8.15 Patch 41 | Clement Lecigne, Google’s Threat Analysis Group | |
OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints | CVE-2023-0464 | 7.5 | - | 9.0.0 Patch 34 8.8.15 Patch 41 10.0.2 |
||
The Amavis package has been upgraded to 2.13.0 version. | TBD | TBD | - | 9.0.0 Patch 34 8.8.15 Patch 41 10.0.2 |
||
A bug that could lead to exposure of internal JSP and XML files has been fixed. | CVE-2023-38750 | 7.5 | - | 9.0.0 Patch 34 8.8.15 Patch 41 10.0.2 |
||
A possible Cross-site Scripting (XSS) security vulnerability has been fixed | CVE-2023-34192 | 9.0 | High | 8.8.15 Patch 40 | Skay, Noah-Lab | |
As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package | CVE-2023-34193 | 8.9 | Medium | Daffodil 10.0.1 9.0.0 Patch 33 8.8.15 Patch 40 |
Rudransh Jani of Ownux Global | |
The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities | CVE-2023-25690 | 9.8 | Low | Daffodil 10.0.1 9.0.0 Patch 33 8.8.15 Patch 40 |
Jabetto | |
Remove unused JSP file which may bypass the Preauth verification | CVE-2023-29382 | 9.8 | Low | Daffodil 10.0.1 9.0.0 Patch 33 8.8.15 Patch 40 |
Skay, Noah-Lab | |
The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability | CVE-2022-46364 | 9.8 | Low | Daffodil 10.0.1 9.0.0 Patch 33 8.8.15 Patch 40 |
Atos Worldline | |
The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities | CVE-2022-22971 CVE-2022-22970 CVE-2022-22971 | 5.3 | Low | Daffodil 10.0.1 9.0.0 Patch 33 8.8.15 Patch 40 |
Stuart Williamson, Visa Digital Ticketing | |
Added additional validations for 2FA login. | CVE-2023-29381 | 9.8 | Medium | Daffodil 10.0.1 9.0.0 Patch 33 8.8.15 Patch 40 |
Technik BNV-GZ | |
The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities. | CVE-2023-20032 | 9.8 | High | 9.0.0 Patch 31 8.8.15 Patch 38 |
||
Multiple security issues related possibility of RXSS attack related to printing messages and appointments have been fixed. | CVE-2023-24031 | 6.1 | Low | 9.0.0 Patch 30 | Marco Ortisi Valentin T. |
|
The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. | CVE-2023-0286 | 7.4 | Low | 9.0.0 Patch 30 8.8.15 Patch 37 |
||
Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. | CVE-2023-24030 | 6.1 | Low | 9.0.0 Patch 30 8.8.15 Patch 37 |
Ali Dinifar | |
Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. | CVE-2023-26562 | 7.8 | Medium | 9.0.0 Patch 30 8.8.15 Patch 37 |
||
Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. | CVE-2023-24032 | 7.8 | Low | 9.0.0 Patch 30 8.8.15 Patch 37 |
Ali Dinifar | |
The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability. | CVE-2018-25032 | 7.5 | Low | 9.0.0 Patch 30 8.8.15 Patch 37 |
||
XSS can occur in Classic UI login page by injecting arbitrary javascript code. | CVE-2022-45911 | 6.1 | Low | 9.0.0 Patch 28 | National Examinations Council of Tanzania (NECTA) | |
RCE through ClientUploader from authenticated admin user. | CVE-2022-45912 | 7.2 | Medium | 9.0.0 Patch 28 8.8.15 Patch 35 |
Strio | |
XSS can occur via one of attribute in webmail urls, leading to information disclosure. | CVE-2022-45913 | 6.1 | Medium | 9.0.0 Patch 28 8.8.15 Patch 35 |
Kim Yong-Jin | |
The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities. | CVE-2022-26377 | 7.5 | Medium | 9.0.0 Patch 28 8.8.15 Patch 35 |
||
The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities. | CVE-2022-20770 CVE-2022-20771 |
7.5 | Low | 9.0.0 Patch 28 8.8.15 Patch 35 |
||
YUI dependency is removed from WebClient and Admin Console. | CVE-2013-6780 | TBD | Medium | 9.0.0 Patch 28 | ||
80716 | An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. | CVE-2022-41352 | 9.8 | Major | 9.0.0 Patch 27 8.8.15 Patch 34 |
Yeak Nai Siew |
Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. | CVE-2022-37393 | 7.8 | Medium | 9.0.0 Patch 27 8.8.15 Patch 34 |
Darren Martyn | |
XSS can occur via one of the attribute of an IMG element, leading to information disclosure. | CVE-2022-41348 | 6.1 | Medium | 9.0.0 Patch 27 | Synacktiv | |
XSS can occur via one of attribute in search component of webmail, leading to information disclosure. | CVE-2022-41350 | 6.1 | Medium | 8.8.15 Patch 34 | Tin Pham aka TF1T of VietSunshine Cyber Security Services | |
XSS can occur via one of attribute in compose component of webmail, leading to information disclosure. | CVE-2022-41349 | 6.1 | Medium | 8.8.15 Patch 34 | Tin Pham aka TF1T of VietSunshine Cyber Security Services | |
XSS can occur via one of attribute in calendar component of webmail, leading to information disclosure. | CVE-2022-41351 | 6.1 | Medium | 8.8.15 Patch 34 | Tin Pham aka TF1T of VietSunshine Cyber Security Services | |
Upgraded OpenSSL to 1.1.1q avoid multiple vulnerabilities. | 9.8 | Low | 9.0.0 Patch 26 8.8.15 Patch 33 |
Upstream, see CVE-2022-2068 | ||
Authentication Bypass in MailboxImportServlet. | CVE-2022-37042 | 9.8 | High | 9.0.0 Patch 26 8.8.15 Patch 33 |
Steven Adair and Thomas Lancaster of Volexity | |
109447 | Proxy Servlet SSRF Vulnerability. | CVE-2022-37041 | 7.5 | Low | 9.0.0 Patch 26 8.8.15 Patch 33 |
Nicolas VERDIER of onepoint |
When using preauth, CSRF tokens are not checked on some post endpoints. | CVE-2022-37043 | 5.7 | Low | 9.0.0 Patch 26 8.8.15 Patch 33 |
Telenet security team | |
Cyrus SASL package has been upgraded to version 2.1.28. | 8.8 | Low | 9.0.0 Patch 26 8.8.15 Patch 33 |
Upstream, see CVE-2022-24407 | ||
RXSS on '/h/search' via title parameter | CVE-2022-37044 | 6.1 | Low | 8.8.15 Patch 33 | ||
RXSS on '/h/search' via onload parameter | CVE-2022-37044 | 6.1 | Low | 8.8.15 Patch 33 | ||
RXSS on '/h/search' via extra parameter | CVE-2022-37044 | 6.1 | Low | 8.8.15 Patch 33 | ||
Upgraded Log4j to v2. | 10.0 | Low | 9.0.0 Patch 25 8.8.15 Patch 32 |
Upstream, see CVE-2021-44228, CVE-2021-45105, CVE-2019-17571 | ||
Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. | 7.5 | Low | 9.0.0 Patch 25 8.8.15 Patch 32 |
Upstream, see CVE-2022-0778 | ||
Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. | 7.5 | Low | 9.0.0 Patch 25 8.8.15 Patch 32 |
Upstream, see CVE-2021-28165 | ||
Upgraded mina-core to version 2.1.6. | 7.5 | Low | 9.0.0 Patch 25 8.8.15 Patch 32 |
Upstream, see CVE-2019-0231 | ||
Memcached poisoning with unauthenticated request. | CVE-2022-27924 | 7.5 | Medium | 9.0.0 Patch 24 8.8.15 Patch 31 |
Simon Scannell of Sonarsource | |
RCE through mboximport from authenticated user. | CVE-2022-27925 | 7.2 | Medium | 9.0.0 Patch 24 8.8.15 Patch 31 |
Mikhail Klyuchnikov of Positive Technologies | |
XSS vulnerability in calendar in classic html client using /h/calendar. | CVE-2022-24682 | 6.1 | Medium | 8.8.15 Patch 30 | Steven Adair and Thomas Lancaster of Volexity | |
Proxy Servlet Open Redirect Vulnerability | CVE-2021-35209 | 9.8 | Medium | 9.0.0 Patch 16 8.8.15 Patch 23 |
Simon Scannell of Sonarsource | |
Open Redirect Vulnerability in preauth servlet | CVE-2021-34807 | 6.1 | Low | 9.0.0 Patch 16 8.8.15 Patch 23 |
Simon Scannell of Sonarsource | |
Stored XSS Vulnerability in ZmMailMsgView.java | CVE-2021-35208 | 5.4 | Medium | 9.0.0 Patch 16 8.8.15 Patch 23 |
Simon Scannell of Sonarsource | |
XSS vulnerability in Zimbra Web Client via loginErrorCode | CVE-2021-35207 | 6.1 | Medium | 9.0.0 Patch 16 8.8.15 Patch 23 |
||
Heap-based buffer overflow vulnerabilities in PHP < 7.3.10 | 9.8 | Critical | 9.0.0 Patch 13 | Upstream, see CVE-2019-9641, CVE-2019-9640 | ||
Heap-based buffer overflow vulnerabilities in PHP < 7.3.10 | 9.8 | Critical | 8.8.15 Patch 20 | Upstream, see CVE-2019-9641, CVE-2019-9640 | ||
Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. | 7.8 | High | 9.0.0 Patch 13 | Upstream, see CVE-2019-0211, CVE-2019-0217 | ||
Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. | 7.8 | High | 8.8.15 Patch 20 | Upstream, see CVE-2019-0211, CVE-2019-0217 | ||
XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition) | CVE-2020-35123 | 6.5 | Medium | 9.0.0 Patch 10 | Primerica | |
XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition) | CVE-2020-35123 | 6.5 | Medium | 8.8.15 Patch 17 | Primerica | |
XSS CWE-79 vulnerability in tinymce | n/a | 6.1 | Medium | 9.0.0 Patch 5 | Upstream, see CVE-2019-1010091 | |
Memory Leak in nodejs library mem | n/a | 5.5 | Medium | 9.0.0 Patch 5 | Upstream, see WS-2018-0236 | |
Persistent XSS | CVE-2020-13653 | 6.1 | Minor | 8.8.15 Patch 11 9.0.0 Patch 4 |
Telenet | |
Unrestricted Upload of File with Dangerous Type CWE-434 | CVE-2020-12846 | 6.0 | Minor | 8.8.16 Patch 10 9.0.0 Patch 3 |
Telenet | |
Persistent XSS CWE-79 | CVE-2020-11737 | 4.3 | Minor | 9.0.0 Patch 2 | Zimbra | |
109174 | Non-Persistent XSS CWE-79 | CVE-2019-12427 | 4.3 | Minor | 8.8.15 Patch 1 | Meridian Miftari |
109141 | Non-Persistent XSS CWE-79 | CVE-2019-15313 | 4.3 | Minor | 8.8.15 Patch 1 | Quang Bui |
109124 | Non-Persistent XSS CWE-79 | CVE-2019-8947 | 2.6 | Minor | - | Issam Rabhi of Sysdream |
109123 | Persistent XSS CWE-79 | CVE-2019-8946 | 2.6 | Minor | - | Issam Rabhi of Sysdream |
109122 | Persistent XSS CWE-79 | CVE-2019-8945 | 3.5 | Minor | - | Issam Rabhi of Sysdream |
109117 | Persistent XSS CWE-79 | CVE-2019-11318 | 3.5 | Minor | 8.8.12 Patch 1 | Mondher Smii |
109127 | SSRF CWE-918 / CWE-807 | CVE-2019-9621 | 4.0 | Minor | 8.7.11 Patch11 8.8.9 Patch10 8.8.10 Patch8 8.8.11 Patch4 8.8.12 |
An Trinh |
109096 | Blind SSRF CWE-918 | CVE-2019-6981 | 4.0 | Minor | 8.7.11 Patch11 8.8.9 Patch10 8.8.10 Patch8 8.8.11 Patch4 8.8.12 |
An Trinh |
109129 | XXE CWE-611 (8.7.x only) |
CVE-2019-9670 | 6.4 | Major | 8.7.11 Patch10 | Khanh Van Pham An Trinh |
109097 | Insecure object deserialization CWE-502 | CVE-2019-6980 | 5.4 | Major | 8.7.11 Patch9 8.8.9 Patch10 8.8.10 Patch7 8.8.11 Patch3 8.8.12 |
An Trinh |
109093 | XXE CWE-611 | CVE-2018-20160 | 6.4 | Major | 8.7.x see 109129 above 8.8.9 Patch9 8.8.10 Patch5 8.8.11 Patch1 8.8.12 |
An Trinh |
109017 | Non-Persistent XSS CWE-79 | CVE-2018-14013 | 4.3 | Minor | 8.7.11 Patch8 8.8.9 Patch9 8.8.10 Patch5 8.8.11 |
Issam Rabhi of Sysdream |
109020 | Persistent XSS CWE-79 | CVE-2018-18631 | 5.0 | Major | 8.7.11 Patch7 8.8.9 Patch7 8.8.10 Patch2 8.8.11 |
Netragard |
109018 | Non-Persistent CWE-79 | CVE-2018-14013 | 2.6 | Minor | 8.7.11 Patch7 8.8.9 Patch6 8.8.10 Patch1 8.8.11 |
Issam Rabhi of Sysdream |
109021 | Limited Content Spoofing CWE-345 | CVE-2018-17938 | 4.3 | Minor | 8.8.10 | Sumit Sahoo |
109012 | Account Enumeration CWE-203 | CVE-2018-15131 | 5.0 | Major | 8.7.11 Patch6 8.8.8 Patch9 8.8.9 Patch3 |
Danielle Deibler |
108970 | Persistent XSS CWE-79 | CVE-2018-14425 | 3.5 | Minor | 8.8.8 Patch7 8.8.9 Patch1 |
Diego Di Nardo |
108902 | Persistent XSS CWE-79 | CVE-2018-10939 | 3.5 | Minor | 8.6.0 Patch11 8.7.11 Patch4 8.8.8 Patch4 |
Diego Di Nardo |
108963 | Verbose Error Messages CWE-209 | CVE-2018-10950 | 3.5 | Minor | 8.7.11 Patch3 8.8.8 |
Netragard |
108962 | Account Enumeration CWE-203 | CVE-2018-10949 | 5.0 | Major | 8.7.11 Patch3 8.8.8 |
Netragard |
108894 | Persistent XSS CWE-199 | CVE-2018-10951 | 3.6 | Minor | 8.6.0 Patch10 8.7.11 Patch3 8.8.8 |
Netragard |
97579 | CSRF CWE-352 | CVE-2015-7610 | 5.8 | Major | 8.6.0 Patch10 8.7.11 Patch2 8.8.8 Patch1 |
Fortinet's FortiGuard Labs |
108786 | Persistent XSS CWE-79 | CVE-2018-6882 | 4.3 | Minor | 8.6.0 Patch10 8.7.11 Patch1 8.8.7 8.8.8 |
Stephan Kaag of Securify |
108265 | Persistent XSS CWE-79 | CVE-2017-17703 | 4.3 | Minor | 8.6.0 Patch9 8.7.11 Patch1 8.8.3 |
Veit Hailperin |
107963 | Host header injection CWE-20 | - | 4.3 | Minor | 8.8.0 Beta2 | - |
107948 |
Persistent XSS CWE-79 | CVE-2018-10948 | 3.5 | Minor | 8.6.0 Patch10 8.7.11 Patch3 8.8.0 Beta2 |
Lucideus Phil Pearl |
107925 | Persistent XSS - snippet CWE-79 | CVE-2017-8802 | 3.5 | Minor | 8.6.0 Patch9 8.7.11 Patch1 8.8.0 Beta2 |
Compass Security |
107878 | Persistent XSS - location CWE-79 | CVE-2017-8783 | 4.0 | Minor | 8.7.10 | Stephan Kaag of Securify |
107712 | Improper limitation of file paths CWE-22 | CVE-2017-6821 | 4.0 | Minor | 8.7.6 | Greg Solovyev, Phil Pearl |
107684 | Improper handling of privileges CWE-280 | CVE-2017-6813 | 4.0 | Major | 8.6.0 Patch9 8.7.6 |
Greg Solovyev |
106811 | XXE CWE-611 | CVE-2016-9924 | 5.8 | Major | 8.6.0 Patch10 8.7.4 |
Alastair Gray |
106612 | Persistent XSS CWE-79 | CVE-2017-7288 | 4.3 | Minor | 8.6.0 Patch11 8.7.1 |
Sammy Forgit |
105001 105174 |
XSS CWE-79 | CVE-2016-5721 | 4.3 2.1 |
Minor | 8.6.0 Patch11 8.7.0 |
Secu |
104552 104703 |
XSS CWE-79 | CVE-2016-3999 | 4.3 | Minor | 8.7.0 | Nam Habach |
104477 | Open Redirect CWE-601 | CVE-2016-4019 | 4.3 | Minor | 8.7.0 | Zimbra |
104294 104456 |
CSRF CWE-352 | CVE-2016-3406 | 2.6 | Minor | 8.6.0 Patch8 8.7.0 |
Zimbra |
104222 105175 |
XSS CWE-79 | CVE-2016-3407 | 4.3 3.5 4.3 2.1 |
Minor | 8.6.0 Patch11 8.7.0 |
Zimbra |
103997 104791 |
XSS CWE-79 | CVE-2016-3412 | 3.5 | Minor | 8.7.0 | Zimbra |
103996 | XXE (Admin) CWE-611- | CVE-2016-3413 | 2.6 | Minor | 8.6.0 Patch11 8.7.0 |
Zimbra |
103961 104828 |
CSRF CWE-352 | CVE-2016-3405 | 4.3 | Minor | 8.6.0 Patch8 8.7.0 |
Zimbra |
103959 | CSRF CWE-352 | CVE-2016-3404 | 4.3 | Minor | 8.6.0 Patch8 8.7.0 |
Zimbra |
103956 104839 |
XSS CWE-79 | CVE-2016-3410 | 4.3 | Minor | 8.6.0 Patch11 8.7.0 |
Zimbra |
103609 | XSS CWE-79 | CVE-2016-3411 | 3.5 | Minor | 8.6.0 Patch11 8.7.0 |
Zimbra |
102637 | XSS CWE-79 | CVE-2016-3409 | 4.3 | Minor | 8.6.0 Patch11 8.7.0 |
Peter Nguyen |
102276 | Deserialization of Untrusted Data CWE-502 | CVE-2016-3415 | 5.8 | Major | 8.7.0 | Zimbra |
102227 | Deserialization of Untrusted Data CWE-502 | n/a | 7.5 | Major | 8.7.0 | Upstream, see CVE-2015-4852 |
102029 | CWE-674 | CVE-2016-3414 | 4.0 | Minor | 8.6.0 Patch7 8.7.0 |
Zimbra |
101813 | XSS CWE-79 | CVE-2016-3408 | 4.3 | Minor | 8.6.0 Patch11 8.7.0 |
Volexity |
100885 100899 |
CSRF CWE-352 | CVE-2016-3403 | 5.8 | Major | 8.6.0 Patch8 8.7.0 |
Sysdream |
99810 | CWE-284 CWE-203 | CVE-2016-3401 | 3.5 | Minor | 8.7.0 | Zimbra |
99167 | Account Enumeration CWE-203 | CVE-2016-3402 | 2.6 | Minor | 8.7.0 | Zimbra |
101435 101436 |
Persistent XSS CWE-79 | CVE-2015-7609 | 6.4 2.3 |
Major | 8.6.0 Patch5 8.7.0 |
Fortinet's FortiGuard Labs |
101559 96973 |
XSS CWE-79 | CVE-2015-2249 | 3.5 | Minor | 8.6.0 Patch5 8.7.0 |
Zimbra |
99236 | XSS Vuln in YUI components in ZCS | n/a | 4.3 | Minor | 8.6.0 Patch5 | Upstream, see CVE-2012-5881 CVE-2012-5882 CVE-2012-5883 |
98358 98215 |
Non-Persistent XSS CWE-79 | CVE-2015-2249 | 4.3 | Minor | 8.6.0 Patch2 8.7.0 |
Cure53 |
97625 | Non-Persistent XSS CWE-79 | CVE-2015-2230 | 3.5 | Minor | 8.6.0 Patch2 | MWR InfoSecurity |
96105 | Improper Input Validation CWE-20 | CVE-2014-8563 | 5.8 | Major | 8.0.9 8.5.1 8.6.0 |
- |
83547 | CSRF Vulnerability CWE-352 | CVE-2015-6541 | 5.8 | Major | 8.5.0 | iSEC Partners, Sysdream |
87412 92835 |
XSS Vulnerabilities CWE-79 (8.0.7 Patch contains 87412) |
CVE-2014-5500 | 4.3 | Minor | 8.0.8 8.5.0 |
- |
83550 | Session Fixation CWE-384 | CVE-2013-5119 | 5.8 | Major | 8.5.0 | - |
91484 | Patch ZCS8 OpenSSL for CVE-2014-0224 | n/a | 6.8 | Major |
8.0.3+Patch 8.0.4+Patch 8.0.5+Patch 8.0.6+Patch 8.0.7+Patch |
Upstream, see CVE-2014-0224 |
88708 | Patch ZCS8 OpenSSL for CVE-2014-0160 | n/a | 5.0 | Major |
8.0.3+Patch 8.0.4+Patch 8.0.5+Patch 8.0.6+Patch 8.0.7+Patch 8.0.7 |
Upstream, see CVE-2014-0160 |
85499 | Upgrade to OpenSSL 1.0.1f | n/a | 4.3 4.3 5.8 |
Major | 8.0.7 | Upstream, see CVE-2013-4353 CVE-2013-6449 CVE-2013-6450 |
84547 | XXE CWE-611 | CVE-2013-7217 | 6.4 (not 10.0) |
Critical | 7.2.2_Patch3 7.2.3_Patch 7.2.4_Patch2 7.2.5_Patch 7.2.6 8.0.3_Patch3 8.0.4_Patch2 8.0.5_Patch 8.0.6 |
Private |
85478 | XSS vulnerability in message view | - | 6.4 | Major | 8.0.7 | Alban Diquet of iSEC Partners |
85411 | Local root privilege escalation | - | 6.2 | Major | 8.0.7 | Matthew David |
85000 | Patch nginx for CVE-2013-4547 | n/a | 7.5 | Major | 7.2.7 8.0.7 |
Upstream, see CVE-2013-4547 |
Upgrade to JDK 1.6 u41 Upgrade OpenSSL to 1.0.0k Upgrade to JDK 1.7u15+ Upgrade to OpenSSL 1.0.1d |
n/a | 2.6 | Minor | 7.2.3 7.2.3 8.0.3 8.0.3 |
Upstream, see CVE-2013-0169 |
|
80338 | Local file inclusion via skin/branding feature CWE-22 | CVE-2013-7091 | 5.0 | Critical | 6.0.16_Patch 7.1.1_Patch6 7.1.3_Patch3 7.2.2_Patch2 7.2.3 8.0.2_Patch 8.0.3 |
Private |
77655 | Separate keystore for CAs used for X509 authentication | - | 5.8 | Major | 8.0.7 | Private |
75424 | Upgrade to Clamav 0.97.5 | n/a | 4.3 4.3 4.3 |
Minor | 7.2.1 | Upstream, see CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 |
64981 | Do not allow HTTP GET for login | - | 6.8 | Major | 7.1.3_Patch 7.1.4 |
Private |
Try Zimbra
Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »
Want to get involved?
You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »
Other Help Resources
Visit the User Help Page »
Visit the Official Forums »
Zimbra Documentation Page »
Looking for a Video?
Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »