CVE-2019-9670 – Synacor Zimbra Collaboration (ZCS) Improper Restriction of XML External Entity Reference
https://notcve.org/view.php?id=CVE-2019-9670
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml. El componente mailboxd en Synacor Zimbra Collaboration Suite 8.7.x antes de 8.7.11p10 tiene una vulnerabilidad de inyección de entidad externa XML (XXE), como lo demuestra Autodiscover/Autodiscover.xml Improper Restriction of XML External Entity Reference vulnerability affecting Synacor Zimbra Collaboration (ZCS). • https://www.exploit-db.com/exploits/46693 https://github.com/Cappricio-Securities/CVE-2019-9670 https://github.com/OracleNep/CVE-2019-9670-DtdFilegeneration http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce https://bugzilla.zimbra.com/show_bug.cgi?id=109129 https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570 https://wiki.zimbra.com • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2018-14013 – Zimbra Collaboration Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-14013
Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients. Synacor Zimbra Collaboration Suite Collaboration anteriores a la versión 8.8.11, tiene una vulnerabilidad de tipo XSS en los clientes web AJAX y html. Zimbra Collaboration versions prior to 8.8.11 suffer from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/151472/Zimbra-Collaboration-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Feb/3 http://www.openwall.com/lists/oss-security/2019/01/30/1 http://www.securityfocus.com/bid/106787 https://bugzilla.zimbra.com/show_bug.cgi?id=109017 https://bugzilla.zimbra.com/show_bug.cgi?id=109018 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-17938
https://notcve.org/view.php?id=CVE-2018-17938
Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value. Zimbra Collaboration en versiones anteriores a la 8.8.10 GA permite la suplantación de contenido de texto mediante un valor loginErrorCode. • https://bugzilla.zimbra.com/show_bug.cgi?id=109021 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2018-10939
https://notcve.org/view.php?id=CVE-2018-10939
Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. Zimbra Web Client (ZWC) en Zimbra Collaboration Suite en versiones 8.8 anteriores a la 8.8.8.Patch4 y versiones 8.7 anteriores a la 8.7.11.Patch4 tiene Cross-Site Scripting (XSS) persistente mediante un grupo de contactos. • https://blog.zimbra.com/2018/05/new-zimbra-patches-8-8-8-patch-4-and-8-7-11-patch-4 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-7610
https://notcve.org/view.php?id=CVE-2015-7610
Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token. Vulnerabilidad Cross-Site Request Forgery (CSRF) en el formulario de inicio de sesión en Zimbra Collaboration Suite (ZCS) en versiones anteriores a la 8.6.0 Patch 10, versiones 8.7.x anteriores a la 8.7.11 Patch 2 y versiones 8.8.x anteriores a la 8.8.8 Patch 1 permite que atacantes remotos secuestren la autenticación de víctimas no especificadas aprovechando el error a la hora de emplear un token CSRF. • https://blog.zimbra.com/2018/04/new-patches-for-you-zimbra-8-8-8-turing-patch-1-zimbra-8-7-11-patch-2 https://blog.zimbra.com/2018/05/new-patches-zimbra-8-8-8-turing-patch-3-zimbra-8-7-11-patch-3-zimbra-8-6-0-patch-10 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P10 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 https://wiki.zi • CWE-352: Cross-Site Request Forgery (CSRF) •