CVE-2023-29381
https://notcve.org/view.php?id=CVE-2023-29381
An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sensitive information via the password and 2FA parameters. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy •
CVE-2023-34192
https://notcve.org/view.php?id=CVE-2023-34192
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-24032
https://notcve.org/view.php?id=CVE-2023-24032
In Zimbra Collaboration Suite through 9.0 and 8.8.15, an attacker (who has initial user access to a Zimbra server instance) can execute commands as root by passing one of JVM arguments, leading to local privilege escalation (LPE). En Zimbra Collaboration Suite a través de las versiones 9.0 y 8.8.15, un atacante (que tiene acceso de usuario inicial a una instancia de servidor Zimbra) puede ejecutar comandos como root pasando uno de los argumentos "JVM", lo que lleva a la escalada de privilegios local (LPE). • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2023-24031
https://notcve.org/view.php?id=CVE-2023-24031
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 8.8.15. XSS can occur, via one of attributes of the webmail /h/ endpoint, to execute arbitrary JavaScript code, leading to information disclosure. Se ha descubierto un problema en Zimbra Collaboration (ZCS) v9.0 y v8.8.15. Cross-Site Scripting (XSS) puede ocurrir, a través de uno de los atributos del endpoint /h/ del webmail, para ejecutar código JavaScript arbitrario, lo que lleva a la divulgación de información. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-24030
https://notcve.org/view.php?id=CVE-2023-24030
An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0 and 8.8.15. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL if url sanitisation is bypassed in incoming requests. NOTE: this is similar, but not identical, to CVE-2021-34807. Existe una vulnerabilidad de redirección abierta en el Servlet "/preauth" en Zimbra Collaboration Suite a través de las versiones 9.0 y 8.8.15. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •