CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0CVE-2022-37043
https://notcve.org/view.php?id=CVE-2022-37043
An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds. Se ha descubierto un problema en el componente webmail de Zimbra Collaboration Suite (ZCS) versiones 8.8.15 y 9.0. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 97%CPEs: 2EXPL: 3CVE-2022-37042 – Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2022-37042
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. Zimbra Collaboration Suite (ZCS) versiones 8.8.15 y 9.0, presenta una funcionalidad mboximport que recibe un archivo ZIP y extrae archivos de él. Al omitir la autenticación (es decir, al no tener un authtoken), un atacante puede cargar archivos arbitrarios en el sistema, conllevando a un salto de directorios y una ejecución de código remota. • https://github.com/aels/CVE-2022-37042 https://github.com/0xf4n9x/CVE-2022-37042 http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-37041
https://notcve.org/view.php?id=CVE-2022-37041
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of hosts that ZCS is allowed to proxy to (the zimbraProxyAllowedDomains setting). Se ha detectado un problema en el archivo ProxyServlet.java en el servlet /proxy de Zimbra Collaboration Suite (ZCS) versiones 8.8.15 y 9.0. El valor del encabezado X-Forwarded-Host sobrescribe el valor de la cabecera Host en las peticiones proxy. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 63EXPL: 3CVE-2022-37393 – Zimbra zmslapd arbitrary module load
https://notcve.org/view.php?id=CVE-2022-37393
Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root. La configuración sudo de Zimbra permite al usuario zimbra ejecutar el binario zmslapd como root con parámetros arbitrarios. Como parte de su funcionalidad prevista, zmslapd puede cargar un archivo de configuración definido por el usuario, que incluye plugins en forma de archivos .so, que también son ejecutadas como root. • https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit https://github.com/rapid7/metasploit-framework/pull/16807 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32294
https://notcve.org/view.php?id=CVE-2022-32294
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this cannot be reproduced. Zimbra Collaboration Open Source versión 8.8.15, no cifra la contraseña de inicio de sesión creada aleatoriamente (desde el comando "zmprove ca"). Es visible en texto sin cifrar en el puerto UDP 514 (también se conoce como el puerto syslog) • https://github.com/soheilsamanabadi/vulnerabilitys/blob/main/Zimbra%208.8.15%20zmprove%20ca%20command https://github.com/soheilsamanabadi/vulnerabilitys/pull/1 https://medium.com/%40soheil.samanabadi/zimbra-8-8-15-zmprove-ca-command-incorrect-access-control-8088032638e https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-863: Incorrect Authorization •