CVSS: 10.0EPSS: 76%CPEs: 82EXPL: 3CVE-2024-45519 – Synacor Zimbra Collaboration Command Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-45519
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands. El servicio postjournal en Zimbra Collaboration (ZCS) anterior a la versión 8.8.15 parche 46, 9 anterior a la versión 9.0.0 parche 41, 10 anterior a la versión 10.0.9 y 10.1 anterior a la versión 10.1.1 a veces permite que usuarios no autenticados ejecuten comandos. Synacor Zimbra Collaboration contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands. • https://github.com/Chocapikk/CVE-2024-45519 https://github.com/p33d/CVE-2024-45519 https://github.com/TOB1a3/CVE-2024-45519-PoC https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes https://wiki.zimbra.com/wiki&# • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 73EXPL: 0CVE-2023-43103
https://notcve.org/view.php?id=CVE-2023-43103
An XSS issue was discovered in a web endpoint in Zimbra Collaboration (ZCS) before 10.0.4 via an unsanitized parameter. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36. Se descubrió un problema XSS en un endpoint web en Zimbra Collaboration (ZCS) anterior a 10.0.4 a través de un parámetro no sanitizado. Esto también se solucionó en el parche 43 8.8.15 y el parche 36 9.0.0. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 73EXPL: 0CVE-2023-43102
https://notcve.org/view.php?id=CVE-2023-43102
An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.4. An XSS issue can be exploited to access the mailbox of an authenticated user. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36. Se descubrió un problema en Zimbra Collaboration (ZCS) antes de 10.0.4. Se puede aprovechar un problema XSS para acceder al buzón de correo de un usuario autenticado. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 71EXPL: 0CVE-2023-41106
https://notcve.org/view.php?id=CVE-2023-41106
An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.3. An attacker can gain access to a Zimbra account. This is also fixed in 9.0.0 Patch 35 and 8.8.15 Patch 42. Se descubrió un problema en Zimbra Collaboration (ZCS) antes de 10.0.3. Un atacante puede obtener acceso a una cuenta de Zimbra. • http://www.openwall.com/lists/oss-security/2023/11/17/2 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories •
CVSS: 7.8EPSS: 0%CPEs: 63EXPL: 3CVE-2022-37393 – Zimbra zmslapd arbitrary module load
https://notcve.org/view.php?id=CVE-2022-37393
Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root. La configuración sudo de Zimbra permite al usuario zimbra ejecutar el binario zmslapd como root con parámetros arbitrarios. Como parte de su funcionalidad prevista, zmslapd puede cargar un archivo de configuración definido por el usuario, que incluye plugins en forma de archivos .so, que también son ejecutadas como root. • https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit https://github.com/rapid7/metasploit-framework/pull/16807 • CWE-284: Improper Access Control •