CVSS: 8.8EPSS: 6%CPEs: 13EXPL: 0CVE-2015-7610
https://notcve.org/view.php?id=CVE-2015-7610
Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token. Vulnerabilidad Cross-Site Request Forgery (CSRF) en el formulario de inicio de sesión en Zimbra Collaboration Suite (ZCS) en versiones anteriores a la 8.6.0 Patch 10, versiones 8.7.x anteriores a la 8.7.11 Patch 2 y versiones 8.8.x anteriores a la 8.8.8 Patch 1 permite que atacantes remotos secuestren la autenticación de víctimas no especificadas aprovechando el error a la hora de emplear un token CSRF. • https://blog.zimbra.com/2018/04/new-patches-for-you-zimbra-8-8-8-turing-patch-1-zimbra-8-7-11-patch-2 https://blog.zimbra.com/2018/05/new-patches-zimbra-8-8-8-turing-patch-3-zimbra-8-7-11-patch-3-zimbra-8-6-0-patch-10 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P10 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 https://wiki.zi • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 14EXPL: 0CVE-2018-10951
https://notcve.org/view.php?id=CVE-2018-10951
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API. mailboxd en Zimbra Collaboration Suite, en versiones 8.8 anteriores a la 8.8.8; versiones 8.7 anteriores a la 8.7.11.Patch3 y versiones 8.6 anteriores a la 8.6.0.Patch10, permite el acceso de lectura zimbraSSLPrivateKey mediante una llamada GetServer, GetAllServers o GetAllActiveServers en la API SOAP Admin. • https://bugzilla.zimbra.com/show_bug.cgi?id=108894 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5721
https://notcve.org/view.php?id=CVE-2016-5721
Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidades de XSS en Zimbra Collaboration en versiones anteriores a 8.7.0 permite a atacantes remotos inyectar secuencia de comandos web o HTML a través de vectores no especificados. • http://www.securityfocus.com/bid/92682 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-6541 – Zimbra 8.0.9 GA - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-6541
Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface in Zimbra Collaboration Server (ZCS) before 8.5 allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences via a SOAP request to service/soap/BatchRequest. Múltiples vulnerabilidades de CSRF en la inerfaz Mail en Zimbra Collaboration Server (ZCS) en versiones anteriores a 8.5 permiten a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para peticiones que cambian preferencias de cuenta a través de una petición SOAP a service/soap/BatchRequest. • https://www.exploit-db.com/exploits/39500 http://seclists.org/fulldisclosure/2016/Feb/121 https://wiki.zimbra.com/wiki/Security/Collab/86#Notes_from_8.5_.28Jetty.29 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 4CVE-2012-1213 – Zimbra - 'view' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-1213
Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbra Web Client in Zimbra Collaboration Suite (ZCS) 6.x before 6.0.15 and 7.x before 7.1.3 allows remote attackers to inject arbitrary web script or HTML via the view parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en zimbra/h/calendar en Zimbra Web Client en Zimbra Collaboration Suite (ZCS) en versiones 6.x anteriores a la 6.0.15 y 7.x anteriores a la 7.1.3 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el parámetro view. • https://www.exploit-db.com/exploits/36695 http://packetstormsecurity.org/files/109710/Zimbra-Cross-Site-Scripting.html http://st2tea.blogspot.com/2012/02/zimbra-cross-site-scripting.html http://www.securityfocus.com/bid/51974 https://bugzilla.zimbra.com/show_bug.cgi?id=63849 https://exchange.xforce.ibmcloud.com/vulnerabilities/73168 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •