CVE-2016-5721
https://notcve.org/view.php?id=CVE-2016-5721
Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidades de XSS en Zimbra Collaboration en versiones anteriores a 8.7.0 permite a atacantes remotos inyectar secuencia de comandos web o HTML a través de vectores no especificados. • http://www.securityfocus.com/bid/92682 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-6541 – Zimbra 8.0.9 GA - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-6541
Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface in Zimbra Collaboration Server (ZCS) before 8.5 allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences via a SOAP request to service/soap/BatchRequest. Múltiples vulnerabilidades de CSRF en la inerfaz Mail en Zimbra Collaboration Server (ZCS) en versiones anteriores a 8.5 permiten a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para peticiones que cambian preferencias de cuenta a través de una petición SOAP a service/soap/BatchRequest. • https://www.exploit-db.com/exploits/39500 http://seclists.org/fulldisclosure/2016/Feb/121 https://wiki.zimbra.com/wiki/Security/Collab/86#Notes_from_8.5_.28Jetty.29 • CWE-352: Cross-Site Request Forgery (CSRF) •