CVSS: 9.8EPSS: 0%CPEs: 66EXPL: 0CVE-2023-29381
https://notcve.org/view.php?id=CVE-2023-29381
An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sensitive information via the password and 2FA parameters. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy •
CVSS: 7.8EPSS: 0%CPEs: 60EXPL: 0CVE-2023-24032
https://notcve.org/view.php?id=CVE-2023-24032
In Zimbra Collaboration Suite through 9.0 and 8.8.15, an attacker (who has initial user access to a Zimbra server instance) can execute commands as root by passing one of JVM arguments, leading to local privilege escalation (LPE). En Zimbra Collaboration Suite a través de las versiones 9.0 y 8.8.15, un atacante (que tiene acceso de usuario inicial a una instancia de servidor Zimbra) puede ejecutar comandos como root pasando uno de los argumentos "JVM", lo que lleva a la escalada de privilegios local (LPE). • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2023-24031
https://notcve.org/view.php?id=CVE-2023-24031
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 8.8.15. XSS can occur, via one of attributes of the webmail /h/ endpoint, to execute arbitrary JavaScript code, leading to information disclosure. Se ha descubierto un problema en Zimbra Collaboration (ZCS) v9.0 y v8.8.15. Cross-Site Scripting (XSS) puede ocurrir, a través de uno de los atributos del endpoint /h/ del webmail, para ejecutar código JavaScript arbitrario, lo que lleva a la divulgación de información. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 58EXPL: 0CVE-2023-24030
https://notcve.org/view.php?id=CVE-2023-24030
An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0 and 8.8.15. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL if url sanitisation is bypassed in incoming requests. NOTE: this is similar, but not identical, to CVE-2021-34807. Existe una vulnerabilidad de redirección abierta en el Servlet "/preauth" en Zimbra Collaboration Suite a través de las versiones 9.0 y 8.8.15. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 63EXPL: 0CVE-2022-45913
https://notcve.org/view.php?id=CVE-2022-45913
An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur via one of attributes in webmail URLs to execute arbitrary JavaScript code, leading to information disclosure. Se descubrió un problema en Zimbra Collaboration (ZCS) 9.0. XSS puede ocurrir a través de uno de los atributos en las URL de correo web para ejecutar código JavaScript arbitrario, lo que lleva a la divulgación de información. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •