Difference between revisions of "Zimbra Security Advisories"

(Zimbra Collaboration - Security Vulnerability Advisories)
(Zimbra Collaboration - Security Vulnerability Advisories)
 
(5 intermediate revisions by 2 users not shown)
Line 22: Line 22:
 
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th>
 
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th>
 
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th>
 
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>Upgraded OpenSSL to 1.1.1q avoid multiple vulnerabilities.</td>
 +
<td></td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 9.8]</td>
 +
<td>Low</td>
 +
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
 +
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2022-2068 CVE-2022-2068]</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>Authentication Bypass in MailboxImportServlet.</td>
 +
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37042 CVE-2022-37042]</td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 9.8]</td>
 +
<td>High</td>
 +
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
 +
<td>Steven Adair and Thomas Lancaster of [https://www.volexity.com/ Volexity]</td>
 +
</tr>
 +
 +
<tr>
 +
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109447 109447]</td>
 +
<td>Proxy Servlet SSRF Vulnerability.</td>
 +
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37041 CVE-2022-37041]</td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 7.5]</td>
 +
<td>Low</td>
 +
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
 +
<td>Nicolas VERDIER of onepoint</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>When using preauth, CSRF tokens are not checked on some post endpoints.</td>
 +
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37043 CVE-2022-37043]</td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 5.7]</td>
 +
<td>Low</td>
 +
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
 +
<td>Telenet security team</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>Cyrus SASL package has been upgraded to version 2.1.28.</td>
 +
<td></td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 8.8]</td>
 +
<td>Low</td>
 +
<td nowrap>9.0.0 Patch 26<br />8.8.15 Patch 33</td>
 +
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2022-24407 CVE-2022-24407]</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>RXSS on '/h/search' via title parameter </td>
 +
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 6.1]</td>
 +
<td>Low</td>
 +
<td nowrap>8.8.15 Patch 33</td>
 +
<td></td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>RXSS on '/h/search' via onload parameter</td>
 +
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 6.1]</td>
 +
<td>Low</td>
 +
<td nowrap>8.8.15 Patch 33</td>
 +
<td></td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>RXSS on '/h/search' via extra parameter</td>
 +
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 6.1]</td>
 +
<td>Low</td>
 +
<td nowrap>8.8.15 Patch 33</td>
 +
<td></td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>Upgraded Log4j to v2.</td>
 +
<td></td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 10.0]</td>
 +
<td>Low</td>
 +
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td>
 +
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2021-44228 CVE-2021-44228], [https://nvd.nist.gov/vuln/detail/CVE-2021-45105 CVE-2021-45105], [https://nvd.nist.gov/vuln/detail/CVE-2019-17571 CVE-2019-17571]</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability.</td>
 +
<td></td>
 +
<td>[https://access.redhat.com/security/cve/cve-2022-0778#cve-cvss-v3 7.5]</td>
 +
<td>Low</td>
 +
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td>
 +
<td>Upstream, see [https://access.redhat.com/security/cve/cve-2022-0778 CVE-2022-0778]</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage.</td>
 +
<td></td>
 +
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
 +
<td>Low</td>
 +
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td>
 +
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2021-28165 CVE-2021-28165]</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>Upgraded mina-core to version 2.1.6.</td>
 +
<td></td>
 +
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
 +
<td>Low</td>
 +
<td nowrap>9.0.0 Patch 25<br />8.8.15 Patch 32</td>
 +
<td>Upstream, see [https://nvd.nist.gov/vuln/detail/CVE-2019-0231 CVE-2019-0231]</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>Memcached poisoning with unauthenticated request.</td>
 +
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-27924 CVE-2022-27924]</td>
 +
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.5]</td>
 +
<td>Medium</td>
 +
<td nowrap>9.0.0 Patch 24<br />8.8.15 Patch 31</td>
 +
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>RCE through mboximport from authenticated user.</td>
 +
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-27925 CVE-2022-27925]</td>
 +
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.2]</td>
 +
<td>Medium</td>
 +
<td nowrap>9.0.0 Patch 24<br />8.8.15 Patch 31</td>
 +
<td>Mikhail Klyuchnikov of [https://www.ptsecurity.com Positive Technologies]</td>
 +
</tr>
 +
 +
<tr>
 +
<td></td>
 +
<td>XSS vulnerability in calendar in classic html client using /h/calendar. </td>
 +
<td>[https://nvd.nist.gov/vuln/detail/CVE-2022-24682 CVE-2022-24682]</td>
 +
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
 +
<td>Medium</td>
 +
<td nowrap>8.8.15 Patch 30</td>
 +
<td>Steven Adair and Thomas Lancaster of [https://www.volexity.com/ Volexity]</td>
 
</tr>
 
</tr>
  
Line 28: Line 178:
 
<td>Proxy Servlet Open Redirect Vulnerability</td>
 
<td>Proxy Servlet Open Redirect Vulnerability</td>
 
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35209 CVE-2021-35209]</td>
 
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35209 CVE-2021-35209]</td>
<td></td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
 
<td>Medium</td>
 
<td>Medium</td>
<td nowrap>9.0.0 Patch 16, 8.8.15 Patch 23</td>
+
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td>
 
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
 
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
 
</tr>
 
</tr>
Line 38: Line 188:
 
<td>Open Redirect Vulnerability in preauth servlet</td>
 
<td>Open Redirect Vulnerability in preauth servlet</td>
 
<td> [https://nvd.nist.gov/vuln/detail/CVE-2021-34807 CVE-2021-34807]</td>
 
<td> [https://nvd.nist.gov/vuln/detail/CVE-2021-34807 CVE-2021-34807]</td>
<td></td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
 
<td>Low</td>
 
<td>Low</td>
<td nowrap>9.0.0 Patch 16, 8.8.15 Patch 23</td>
+
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td>
 
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
 
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
 
</tr>
 
</tr>
Line 48: Line 198:
 
<td>Stored XSS Vulnerability in ZmMailMsgView.java</td>
 
<td>Stored XSS Vulnerability in ZmMailMsgView.java</td>
 
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35208 CVE-2021-35208]</td>
 
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35208 CVE-2021-35208]</td>
<td></td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.4]</td>
 
<td>Medium</td>
 
<td>Medium</td>
<td nowrap>9.0.0 Patch 16, 8.8.15 Patch 23</td>
+
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td>
 
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
 
<td>Simon Scannell of [https://sonarsource.com/ Sonarsource]</td>
 
</tr>
 
</tr>
Line 58: Line 208:
 
<td>XSS vulnerability in Zimbra Web Client via loginErrorCode</td>
 
<td>XSS vulnerability in Zimbra Web Client via loginErrorCode</td>
 
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35207 CVE-2021-35207]</td>
 
<td>[https://nvd.nist.gov/vuln/detail/CVE-2021-35207 CVE-2021-35207]</td>
<td></td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
 
<td>Medium</td>
 
<td>Medium</td>
<td nowrap>9.0.0 Patch 16, 8.8.15 Patch 23</td>
+
<td nowrap>9.0.0 Patch 16<br />8.8.15 Patch 23</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
Line 68: Line 218:
 
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td>
 
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td>
 
<td></td>
 
<td></td>
<td>9.8</td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
 
<td>Critical</td>
 
<td>Critical</td>
 
<td>9.0.0 Patch 13</td>
 
<td>9.0.0 Patch 13</td>
Line 78: Line 228:
 
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td>
 
<td>Heap-based buffer overflow vulnerabilities in PHP < 7.3.10</td>
 
<td></td>
 
<td></td>
<td>9.8</td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 9.8]</td>
 
<td>Critical</td>
 
<td>Critical</td>
 
<td>8.8.15 Patch 20</td>
 
<td>8.8.15 Patch 20</td>
Line 88: Line 238:
 
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td>
 
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td>
 
<td></td>
 
<td></td>
<td>7.8</td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td>
 
<td>High</td>
 
<td>High</td>
 
<td>9.0.0 Patch 13</td>
 
<td>9.0.0 Patch 13</td>
Line 99: Line 249:
 
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td>
 
<td>Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.</td>
 
<td></td>
 
<td></td>
<td>7.8</td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 7.8]</td>
 
<td>High</td>
 
<td>High</td>
 
<td>8.8.15 Patch 20</td>
 
<td>8.8.15 Patch 20</td>
Line 109: Line 259:
 
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td>
 
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td>
 
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td>
 
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td>
<td></td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.5]</td>
 
<td>Medium</td>
 
<td>Medium</td>
 
<td>9.0.0 Patch 10</td>
 
<td>9.0.0 Patch 10</td>
Line 119: Line 269:
 
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td>
 
<td>XXE ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) vulnerability in saml consumer store servlet (Network Edition) </td>
 
<td>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td>
 
<td>[https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</td>
<td></td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.5]</td>
 
<td>Medium</td>
 
<td>Medium</td>
 
<td>8.8.15 Patch 17</td>
 
<td>8.8.15 Patch 17</td>
Line 130: Line 280:
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] vulnerability in tinymce</td>
 
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] vulnerability in tinymce</td>
 
<td nowrap>n/a</td>
 
<td nowrap>n/a</td>
<td>6.1</td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
 
<td>Medium</td>
 
<td>Medium</td>
 
<td>9.0.0 Patch 5</td>
 
<td>9.0.0 Patch 5</td>
Line 140: Line 290:
 
<td>Memory Leak in nodejs library [https://github.com/sindresorhus/mem mem]</td>
 
<td>Memory Leak in nodejs library [https://github.com/sindresorhus/mem mem]</td>
 
<td nowrap>n/a</td>
 
<td nowrap>n/a</td>
<td>5.5</td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 5.5]</td>
 
<td>Medium</td>
 
<td>Medium</td>
 
<td>9.0.0 Patch 5</td>
 
<td>9.0.0 Patch 5</td>
Line 150: Line 300:
 
<td>Persistent XSS</td>
 
<td>Persistent XSS</td>
 
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-13653 CVE-2020-13653] </td>
 
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-13653 CVE-2020-13653] </td>
<td></td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.1]</td>
 
<td>Minor</td>
 
<td>Minor</td>
<td>8.8.15 Patch 11, 9.0.0 Patch 4</td>
+
<td>8.8.15 Patch 11<br />9.0.0 Patch 4</td>
 
<td>Telenet</td>
 
<td>Telenet</td>
 
</tr>
 
</tr>
Line 161: Line 311:
 
<td>Unrestricted Upload of File with Dangerous Type [https://cwe.mitre.org/data/definitions/434.html CWE-434]</td>
 
<td>Unrestricted Upload of File with Dangerous Type [https://cwe.mitre.org/data/definitions/434.html CWE-434]</td>
 
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-12846 CVE-2020-12846] </td>
 
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2020-12846 CVE-2020-12846] </td>
<td>6.0</td>
+
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 6.0]</td>
 
<td>Minor</td>
 
<td>Minor</td>
<td>8.8.16 Patch 10, 9.0.0 Patch 3 </td>
+
<td>8.8.16 Patch 10<br />9.0.0 Patch 3 </td>
 
<td>Telenet</td>
 
<td>Telenet</td>
 
</tr>
 
</tr>

Latest revision as of 11:37, 15 September 2022

Zimbra Security Advisories

Overview

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

Zimbra Collaboration - Security Vulnerability Advisories

Note: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.
(going back to ZCS 7.1.3)

Bug# Summary CVE-ID CVSS
Score
Zimbra
Rating
Fix Release or
Patch Version
Reporter
Upgraded OpenSSL to 1.1.1q avoid multiple vulnerabilities. 9.8 Low 9.0.0 Patch 26
8.8.15 Patch 33
Upstream, see CVE-2022-2068
Authentication Bypass in MailboxImportServlet. CVE-2022-37042 9.8 High 9.0.0 Patch 26
8.8.15 Patch 33
Steven Adair and Thomas Lancaster of Volexity
109447 Proxy Servlet SSRF Vulnerability. CVE-2022-37041 7.5 Low 9.0.0 Patch 26
8.8.15 Patch 33
Nicolas VERDIER of onepoint
When using preauth, CSRF tokens are not checked on some post endpoints. CVE-2022-37043 5.7 Low 9.0.0 Patch 26
8.8.15 Patch 33
Telenet security team
Cyrus SASL package has been upgraded to version 2.1.28. 8.8 Low 9.0.0 Patch 26
8.8.15 Patch 33
Upstream, see CVE-2022-24407
RXSS on '/h/search' via title parameter CVE-2022-37044 6.1 Low 8.8.15 Patch 33
RXSS on '/h/search' via onload parameter CVE-2022-37044 6.1 Low 8.8.15 Patch 33
RXSS on '/h/search' via extra parameter CVE-2022-37044 6.1 Low 8.8.15 Patch 33
Upgraded Log4j to v2. 10.0 Low 9.0.0 Patch 25
8.8.15 Patch 32
Upstream, see CVE-2021-44228, CVE-2021-45105, CVE-2019-17571
Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. 7.5 Low 9.0.0 Patch 25
8.8.15 Patch 32
Upstream, see CVE-2022-0778
Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. 7.5 Low 9.0.0 Patch 25
8.8.15 Patch 32
Upstream, see CVE-2021-28165
Upgraded mina-core to version 2.1.6. 7.5 Low 9.0.0 Patch 25
8.8.15 Patch 32
Upstream, see CVE-2019-0231
Memcached poisoning with unauthenticated request. CVE-2022-27924 7.5 Medium 9.0.0 Patch 24
8.8.15 Patch 31
Simon Scannell of Sonarsource
RCE through mboximport from authenticated user. CVE-2022-27925 7.2 Medium 9.0.0 Patch 24
8.8.15 Patch 31
Mikhail Klyuchnikov of Positive Technologies
XSS vulnerability in calendar in classic html client using /h/calendar. CVE-2022-24682 6.1 Medium 8.8.15 Patch 30 Steven Adair and Thomas Lancaster of Volexity
Proxy Servlet Open Redirect Vulnerability CVE-2021-35209 9.8 Medium 9.0.0 Patch 16
8.8.15 Patch 23
Simon Scannell of Sonarsource
Open Redirect Vulnerability in preauth servlet CVE-2021-34807 6.1 Low 9.0.0 Patch 16
8.8.15 Patch 23
Simon Scannell of Sonarsource
Stored XSS Vulnerability in ZmMailMsgView.java CVE-2021-35208 5.4 Medium 9.0.0 Patch 16
8.8.15 Patch 23
Simon Scannell of Sonarsource
XSS vulnerability in Zimbra Web Client via loginErrorCode CVE-2021-35207 6.1 Medium 9.0.0 Patch 16
8.8.15 Patch 23
Heap-based buffer overflow vulnerabilities in PHP < 7.3.10 9.8 Critical 9.0.0 Patch 13 Upstream, see CVE-2019-9641, CVE-2019-9640
Heap-based buffer overflow vulnerabilities in PHP < 7.3.10 9.8 Critical 8.8.15 Patch 20 Upstream, see CVE-2019-9641, CVE-2019-9640
Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. 7.8 High 9.0.0 Patch 13 Upstream, see CVE-2019-0211, CVE-2019-0217
Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. 7.8 High 8.8.15 Patch 20 Upstream, see CVE-2019-0211, CVE-2019-0217
XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition) CVE-2020-35123 6.5 Medium 9.0.0 Patch 10 Primerica
XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition) CVE-2020-35123 6.5 Medium 8.8.15 Patch 17 Primerica
XSS CWE-79 vulnerability in tinymce n/a 6.1 Medium 9.0.0 Patch 5 Upstream, see CVE-2019-1010091
Memory Leak in nodejs library mem n/a 5.5 Medium 9.0.0 Patch 5 Upstream, see WS-2018-0236
Persistent XSS CVE-2020-13653 6.1 Minor 8.8.15 Patch 11
9.0.0 Patch 4
Telenet
Unrestricted Upload of File with Dangerous Type CWE-434 CVE-2020-12846 6.0 Minor 8.8.16 Patch 10
9.0.0 Patch 3
Telenet
Persistent XSS CWE-79 CVE-2020-11737 4.3 Minor 9.0.0 Patch 2 Zimbra
109174 Non-Persistent XSS CWE-79 CVE-2019-12427 4.3 Minor 8.8.15 Patch 1 Meridian Miftari
109141 Non-Persistent XSS CWE-79 CVE-2019-15313 4.3 Minor 8.8.15 Patch 1 Quang Bui
109124 Non-Persistent XSS CWE-79 CVE-2019-8947 2.6 Minor - Issam Rabhi of Sysdream
109123 Persistent XSS CWE-79 CVE-2019-8946 2.6 Minor - Issam Rabhi of Sysdream
109122 Persistent XSS CWE-79 CVE-2019-8945 3.5 Minor - Issam Rabhi of Sysdream
109117 Persistent XSS CWE-79 CVE-2019-11318 3.5 Minor 8.8.12 Patch 1 Mondher Smii
109127 SSRF CWE-918 / CWE-807 CVE-2019-9621 4.0 Minor 8.7.11 Patch11
8.8.9 Patch10
8.8.10 Patch8
8.8.11 Patch4
8.8.12
An Trinh
109096 Blind SSRF CWE-918 CVE-2019-6981 4.0 Minor 8.7.11 Patch11
8.8.9 Patch10
8.8.10 Patch8
8.8.11 Patch4
8.8.12
An Trinh
109129 XXE CWE-611
(8.7.x only)
CVE-2019-9670 6.4 Major 8.7.11 Patch10 Khanh Van Pham
An Trinh
109097 Insecure object deserialization CWE-502 CVE-2019-6980 5.4 Major 8.7.11 Patch9
8.8.9 Patch10
8.8.10 Patch7
8.8.11 Patch3
8.8.12
An Trinh
109093 XXE CWE-611 CVE-2018-20160 6.4 Major 8.7.x see 109129 above
8.8.9 Patch9
8.8.10 Patch5
8.8.11 Patch1
8.8.12
An Trinh
109017 Non-Persistent XSS CWE-79 CVE-2018-14013 4.3 Minor 8.7.11 Patch8
8.8.9 Patch9
8.8.10 Patch5
8.8.11
Issam Rabhi of Sysdream
109020 Persistent XSS CWE-79 CVE-2018-18631 5.0 Major 8.7.11 Patch7
8.8.9 Patch7
8.8.10 Patch2
8.8.11
Netragard
109018 Non-Persistent CWE-79 CVE-2018-14013 2.6 Minor 8.7.11 Patch7
8.8.9 Patch6
8.8.10 Patch1
8.8.11
Issam Rabhi of Sysdream
109021 Limited Content Spoofing CWE-345 CVE-2018-17938 4.3 Minor 8.8.10 Sumit Sahoo
109012 Account Enumeration CWE-203 CVE-2018-15131 5.0 Major 8.7.11 Patch6
8.8.8 Patch9
8.8.9 Patch3
Danielle Deibler
108970 Persistent XSS CWE-79 CVE-2018-14425 3.5 Minor 8.8.8 Patch7
8.8.9 Patch1
Diego Di Nardo
108902 Persistent XSS CWE-79 CVE-2018-10939 3.5 Minor 8.6.0 Patch11
8.7.11 Patch4
8.8.8 Patch4
Diego Di Nardo
108963 Verbose Error Messages CWE-209 CVE-2018-10950 3.5 Minor 8.7.11 Patch3
8.8.8
Netragard
108962 Account Enumeration CWE-203 CVE-2018-10949 5.0 Major 8.7.11 Patch3
8.8.8
Netragard
108894 Persistent XSS CWE-199 CVE-2018-10951 3.6 Minor 8.6.0 Patch10
8.7.11 Patch3
8.8.8
Netragard
97579 CSRF CWE-352 CVE-2015-7610 5.8 Major 8.6.0 Patch10
8.7.11 Patch2
8.8.8 Patch1
Fortinet's FortiGuard Labs
108786 Persistent XSS CWE-79 CVE-2018-6882 4.3 Minor 8.6.0 Patch10
8.7.11 Patch1
8.8.7
8.8.8
Stephan Kaag of Securify
108265 Persistent XSS CWE-79 CVE-2017-17703 4.3 Minor 8.6.0 Patch9
8.7.11 Patch1
8.8.3
Veit Hailperin
107963 Host header injection CWE-20 - 4.3 Minor 8.8.0 Beta2 -
107948

107949

Persistent XSS CWE-79 CVE-2018-10948 3.5 Minor 8.6.0 Patch10
8.7.11 Patch3
8.8.0 Beta2
Lucideus
Phil Pearl
107925 Persistent XSS - snippet CWE-79 CVE-2017-8802 3.5 Minor 8.6.0 Patch9
8.7.11 Patch1
8.8.0 Beta2
Compass Security
107878 Persistent XSS - location CWE-79 CVE-2017-8783 4.0 Minor 8.7.10 Stephan Kaag of Securify
107712 Improper limitation of file paths CWE-22 CVE-2017-6821 4.0 Minor 8.7.6 Greg Solovyev, Phil Pearl
107684 Improper handling of privileges CWE-280 CVE-2017-6813 4.0 Major 8.6.0 Patch9
8.7.6
Greg Solovyev
106811 XXE CWE-611 CVE-2016-9924 5.8 Major 8.6.0 Patch10
8.7.4
Alastair Gray
106612 Persistent XSS CWE-79 CVE-2017-7288 4.3 Minor 8.6.0 Patch11
8.7.1
Sammy Forgit
105001
105174
XSS CWE-79 CVE-2016-5721 4.3
2.1
Minor 8.6.0 Patch11
8.7.0
Secu
104552
104703
XSS CWE-79 CVE-2016-3999 4.3 Minor 8.7.0 Nam Habach
104477 Open Redirect CWE-601 CVE-2016-4019 4.3 Minor 8.7.0 Zimbra
104294
104456
CSRF CWE-352 CVE-2016-3406 2.6 Minor 8.6.0 Patch8
8.7.0
Zimbra
104222

104910
105071

105175
XSS CWE-79 CVE-2016-3407 4.3
3.5
4.3
2.1
Minor 8.6.0 Patch11
8.7.0
Zimbra
103997

104413
104414
104777

104791
XSS CWE-79 CVE-2016-3412 3.5 Minor 8.7.0 Zimbra
103996 XXE (Admin) CWE-611- CVE-2016-3413 2.6 Minor 8.6.0 Patch11
8.7.0
Zimbra
103961
104828
CSRF CWE-352 CVE-2016-3405 4.3 Minor 8.6.0 Patch8
8.7.0
Zimbra
103959 CSRF CWE-352 CVE-2016-3404 4.3 Minor 8.6.0 Patch8
8.7.0
Zimbra
103956

103995
104475
104838

104839
XSS CWE-79 CVE-2016-3410 4.3 Minor 8.6.0 Patch11
8.7.0
Zimbra
103609 XSS CWE-79 CVE-2016-3411 3.5 Minor 8.6.0 Patch11
8.7.0
Zimbra
102637 XSS CWE-79 CVE-2016-3409 4.3 Minor 8.6.0 Patch11
8.7.0
Peter Nguyen
102276 Deserialization of Untrusted Data CWE-502 CVE-2016-3415 5.8 Major 8.7.0 Zimbra
102227 Deserialization of Untrusted Data CWE-502 n/a 7.5 Major 8.7.0 Upstream, see
CVE-2015-4852
102029 CWE-674 CVE-2016-3414 4.0 Minor 8.6.0 Patch7
8.7.0
Zimbra
101813 XSS CWE-79 CVE-2016-3408 4.3 Minor 8.6.0 Patch11
8.7.0
Volexity
100885
100899
CSRF CWE-352 CVE-2016-3403 5.8 Major 8.6.0 Patch8
8.7.0
Sysdream
99810 CWE-284 CWE-203 CVE-2016-3401 3.5 Minor 8.7.0 Zimbra
99167 Account Enumeration CWE-203 CVE-2016-3402 2.6 Minor 8.7.0 Zimbra
101435
101436
Persistent XSS CWE-79 CVE-2015-7609 6.4
2.3
Major 8.6.0 Patch5
8.7.0
Fortinet's FortiGuard Labs
101559

100133
99854
99914

96973
XSS CWE-79 CVE-2015-2249 3.5 Minor 8.6.0 Patch5
8.7.0
Zimbra
99236 XSS Vuln in YUI components in ZCS n/a 4.3 Minor 8.6.0 Patch5 Upstream, see
CVE-2012-5881
CVE-2012-5882
CVE-2012-5883
98358

98216

98215
Non-Persistent XSS CWE-79 CVE-2015-2249 4.3 Minor 8.6.0 Patch2
8.7.0
Cure53
97625 Non-Persistent XSS CWE-79 CVE-2015-2230 3.5 Minor 8.6.0 Patch2 MWR InfoSecurity
96105 Improper Input Validation CWE-20 CVE-2014-8563 5.8 Major 8.0.9
8.5.1
8.6.0
 -
83547 CSRF Vulnerability CWE-352 CVE-2015-6541 5.8 Major 8.5.0 iSEC Partners, Sysdream
87412

92825
92833

92835
XSS Vulnerabilities CWE-79
(8.0.7 Patch
contains 87412)
CVE-2014-5500 4.3 Minor 8.0.8
8.5.0
 -
83550 Session Fixation CWE-384 CVE-2013-5119 5.8 Major 8.5.0
91484 Patch ZCS8 OpenSSL for CVE-2014-0224 n/a 6.8 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
Upstream, see
CVE-2014-0224
88708 Patch ZCS8 OpenSSL for CVE-2014-0160 n/a 5.0 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
8.0.7
Upstream, see
CVE-2014-0160
85499 Upgrade to OpenSSL 1.0.1f n/a 4.3
4.3
5.8
Major 8.0.7 Upstream, see
CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
84547 XXE CWE-611 CVE-2013-7217 6.4
(not 10.0)
Critical 7.2.2_Patch3
7.2.3_Patch
7.2.4_Patch2
7.2.5_Patch
7.2.6
8.0.3_Patch3
8.0.4_Patch2
8.0.5_Patch
8.0.6
Private
85478 XSS vulnerability in message view - 6.4 Major 8.0.7 Alban Diquet
of iSEC Partners
85411 Local root privilege escalation - 6.2 Major 8.0.7 Matthew David
85000 Patch nginx for CVE-2013-4547 n/a 7.5 Major 7.2.7
8.0.7
Upstream, see
CVE-2013-4547

80450
80131
80445
80132

Upgrade to JDK 1.6 u41
Upgrade OpenSSL to 1.0.0k
Upgrade to JDK 1.7u15+
Upgrade to OpenSSL 1.0.1d
n/a 2.6 Minor 7.2.3
7.2.3
8.0.3
8.0.3
Upstream, see
CVE-2013-0169
80338 Local file inclusion via skin/branding feature CWE-22 CVE-2013-7091 5.0 Critical 6.0.16_Patch
7.1.1_Patch6
7.1.3_Patch3
7.2.2_Patch2
7.2.3
8.0.2_Patch
8.0.3
Private
77655 Separate keystore for CAs used for X509 authentication - 5.8 Major 8.0.7 Private
75424 Upgrade to Clamav 0.97.5 n/a 4.3
4.3
4.3
Minor 7.2.1 Upstream, see
CVE-2012-1457
CVE-2012-1458
CVE-2012-1459
64981 Do not allow HTTP GET for login - 6.8 Major 7.1.3_Patch
7.1.4
Private

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »


Jump to: navigation, search