CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2018-10949
https://notcve.org/view.php?id=CVE-2018-10949
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors. mailboxd en Zimbra Collaboration Suite, en versiones 8.8 anteriores a la 8.8.8; versiones 8.7 anteriores a la 8.7.11.Patch3 y en versiones 8.6, permite la enumeración de cuentas aprovechando una discrepancia entre los errores "HTTP 404 - account is not active" y "HTTP 401 - must authenticate". • https://github.com/0x00-0x00/CVE-2018-10949 https://bugzilla.zimbra.com/show_bug.cgi?id=108962 • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 16EXPL: 0CVE-2018-10950
https://notcve.org/view.php?id=CVE-2018-10950
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure through Verbose Error Messages containing a stack dump, tracing data, or full user-context dump. mailboxd en Zimbra Collaboration Suite, en versiones 8.8 anteriores a la 8.8.8; versiones 8.7 anteriores a la 8.7.11.Patch3 y versiones 8.6 anteriores a la 8.6.0.Patch10, permite la exposición de información mediante mensajes de error verbose que contienen un volcado de pila, datos de rastreo o un volcado completo del contexto del usuario. • https://bugzilla.zimbra.com/show_bug.cgi?id=108963 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 14EXPL: 0CVE-2018-10951
https://notcve.org/view.php?id=CVE-2018-10951
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API. mailboxd en Zimbra Collaboration Suite, en versiones 8.8 anteriores a la 8.8.8; versiones 8.7 anteriores a la 8.7.11.Patch3 y versiones 8.6 anteriores a la 8.6.0.Patch10, permite el acceso de lectura zimbraSSLPrivateKey mediante una llamada GetServer, GetAllServers o GetAllActiveServers en la API SOAP Admin. • https://bugzilla.zimbra.com/show_bug.cgi?id=108894 •
CVSS: 6.1EPSS: 0%CPEs: 9EXPL: 1CVE-2018-6882 – Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2018-6882
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment. Vulnerabilidad de Cross-Site Scripting (XSS) en la función ZmMailMsgView.getAttachmentLinkHtml en Zimbra Collaboration Suite (ZCS), en versiones anteriores a la 8.7 Patch 1 y versiones 8.8.x anteriores a la 8.8.7, podría permitir que atacantes remotos inyecten scripts web o HTML arbitrarios mediante una cabecera Content-Location en un adjunto de correo electrónico. Zimbra Collaboration Suite version 8.7.11_GA_1854 suffers from a cross site scripting vulnerability. Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that might allow remote attackers to inject arbitrary web script or HTML. • http://seclists.org/fulldisclosure/2018/Mar/52 http://www.securityfocus.com/archive/1/541891/100/0/threaded https://bugzilla.zimbra.com/show_bug.cgi?id=108786 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17703
https://notcve.org/view.php?id=CVE-2017-17703
Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent XSS. Synacor Zimbra Collaboration Suite (ZCS) en versiones anteriores a la 8.8.3 tiene XSS persistente. • https://bugzilla.zimbra.com/show_bug.cgi?id=108265 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •