CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-10939
https://notcve.org/view.php?id=CVE-2018-10939
Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. Zimbra Web Client (ZWC) en Zimbra Collaboration Suite en versiones 8.8 anteriores a la 8.8.8.Patch4 y versiones 8.7 anteriores a la 8.7.11.Patch4 tiene Cross-Site Scripting (XSS) persistente mediante un grupo de contactos. • https://blog.zimbra.com/2018/05/new-zimbra-patches-8-8-8-patch-4-and-8-7-11-patch-4 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 6%CPEs: 13EXPL: 0CVE-2015-7610
https://notcve.org/view.php?id=CVE-2015-7610
Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token. Vulnerabilidad Cross-Site Request Forgery (CSRF) en el formulario de inicio de sesión en Zimbra Collaboration Suite (ZCS) en versiones anteriores a la 8.6.0 Patch 10, versiones 8.7.x anteriores a la 8.7.11 Patch 2 y versiones 8.8.x anteriores a la 8.8.8 Patch 1 permite que atacantes remotos secuestren la autenticación de víctimas no especificadas aprovechando el error a la hora de emplear un token CSRF. • https://blog.zimbra.com/2018/04/new-patches-for-you-zimbra-8-8-8-turing-patch-1-zimbra-8-7-11-patch-2 https://blog.zimbra.com/2018/05/new-patches-zimbra-8-8-8-turing-patch-3-zimbra-8-7-11-patch-3-zimbra-8-6-0-patch-10 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P10 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 https://wiki.zi • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 14EXPL: 0CVE-2018-10951
https://notcve.org/view.php?id=CVE-2018-10951
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API. mailboxd en Zimbra Collaboration Suite, en versiones 8.8 anteriores a la 8.8.8; versiones 8.7 anteriores a la 8.7.11.Patch3 y versiones 8.6 anteriores a la 8.6.0.Patch10, permite el acceso de lectura zimbraSSLPrivateKey mediante una llamada GetServer, GetAllServers o GetAllActiveServers en la API SOAP Admin. • https://bugzilla.zimbra.com/show_bug.cgi?id=108894 •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2008-1226
https://notcve.org/view.php?id=CVE-2008-1226
Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration Suite (ZCS) 4.0.3, 4.5.6, and possibly other versions before 4.5.10 allow remote attackers to inject arbitrary web script or HTML via an e-mail attachment, possibly involving a (1) .jpg or (2) .gif image attachment. Múltiples Vulnerabilidades de secuencias de comandos en sitios cruzados (XSS)en Zimbra Collaboration Suite (ZCS) 4.0.3, 4.5.6 y posiblemente otras versiones anteriores a 4.5.10, permite a atacantes remotos inyectar secuencias de comandos web o html de su elección a través de un adjunto de e-mail usando ficheros (1) .jpg o (2) .gif. • http://jvn.jp/jp/JVN%2395014590/index.html http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000004.html http://secunia.com/advisories/29263 http://www.securityfocus.com/bid/28134 http://www.zimbra.com/jp/products/vulnerability.html https://exchange.xforce.ibmcloud.com/vulnerabilities/41044 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •