CVSS: 9.8EPSS: 0%CPEs: 25EXPL: 0CVE-2018-20160
https://notcve.org/view.php?id=CVE-2018-20160
ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd. ZxChat (conocido como ZeXtras Chat), es usado para zimbra-chat y zimbra-talk en Synacor Zimbra Collaboration Suite versiones 8.7 y 8.8 y en otros productos, permite ataques de tipo XXE, como demuestra una petición XML creada al componente buzón mailboxd. • https://bugzilla.zimbra.com/show_bug.cgi?id=109093 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 26EXPL: 0CVE-2019-6980
https://notcve.org/view.php?id=CVE-2019-6980
Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component. Synacor Zimbra Collaboration Suite versión 8.7.x hasta la 8.8.11, permite una deserialización no segura de objetos en el componente IMAP. • https://bugzilla.zimbra.com/show_bug.cgi?id=109097 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 97%CPEs: 11EXPL: 5CVE-2019-9670 – Synacor Zimbra Collaboration (ZCS) Improper Restriction of XML External Entity Reference
https://notcve.org/view.php?id=CVE-2019-9670
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml. El componente mailboxd en Synacor Zimbra Collaboration Suite 8.7.x antes de 8.7.11p10 tiene una vulnerabilidad de inyección de entidad externa XML (XXE), como lo demuestra Autodiscover/Autodiscover.xml Improper Restriction of XML External Entity Reference vulnerability affecting Synacor Zimbra Collaboration (ZCS). • https://www.exploit-db.com/exploits/46693 https://github.com/Cappricio-Securities/CVE-2019-9670 https://github.com/OracleNep/CVE-2019-9670-DtdFilegeneration http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce https://bugzilla.zimbra.com/show_bug.cgi?id=109129 https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570 https://wiki.zimbra.com • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 21EXPL: 3CVE-2018-14013 – Zimbra Collaboration Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-14013
Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients. Synacor Zimbra Collaboration Suite Collaboration anteriores a la versión 8.8.11, tiene una vulnerabilidad de tipo XSS en los clientes web AJAX y html. Zimbra Collaboration versions prior to 8.8.11 suffer from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/151472/Zimbra-Collaboration-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Feb/3 http://www.openwall.com/lists/oss-security/2019/01/30/1 http://www.securityfocus.com/bid/106787 https://bugzilla.zimbra.com/show_bug.cgi?id=109017 https://bugzilla.zimbra.com/show_bug.cgi?id=109018 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17938
https://notcve.org/view.php?id=CVE-2018-17938
Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value. Zimbra Collaboration en versiones anteriores a la 8.8.10 GA permite la suplantación de contenido de texto mediante un valor loginErrorCode. • https://bugzilla.zimbra.com/show_bug.cgi?id=109021 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 • CWE-345: Insufficient Verification of Data Authenticity •