CVSS: 9.8EPSS: 0%CPEs: 66EXPL: 0CVE-2023-29381
https://notcve.org/view.php?id=CVE-2023-29381
An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sensitive information via the password and 2FA parameters. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 40%CPEs: 37EXPL: 0CVE-2023-34192
https://notcve.org/view.php?id=CVE-2023-34192
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 37EXPL: 0CVE-2023-34193
https://notcve.org/view.php?id=CVE-2023-34193
File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obtain sensitive information via the ClientUploader function. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 0%CPEs: 60EXPL: 0CVE-2023-24032
https://notcve.org/view.php?id=CVE-2023-24032
In Zimbra Collaboration Suite through 9.0 and 8.8.15, an attacker (who has initial user access to a Zimbra server instance) can execute commands as root by passing one of JVM arguments, leading to local privilege escalation (LPE). En Zimbra Collaboration Suite a través de las versiones 9.0 y 8.8.15, un atacante (que tiene acceso de usuario inicial a una instancia de servidor Zimbra) puede ejecutar comandos como root pasando uno de los argumentos "JVM", lo que lleva a la escalada de privilegios local (LPE). • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 58EXPL: 0CVE-2023-24030
https://notcve.org/view.php?id=CVE-2023-24030
An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0 and 8.8.15. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL if url sanitisation is bypassed in incoming requests. NOTE: this is similar, but not identical, to CVE-2021-34807. Existe una vulnerabilidad de redirección abierta en el Servlet "/preauth" en Zimbra Collaboration Suite a través de las versiones 9.0 y 8.8.15. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •