CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3409
https://notcve.org/view.php?id=CVE-2016-3409
Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 102637. Vulnerabilidad de XSS en Zimbra Collaboration en versiones anteriores a 8.7.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, vulnerabilidad también conocida como error 102637. • http://www.securityfocus.com/bid/95896 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.0 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3412
https://notcve.org/view.php?id=CVE-2016-3412
Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103997, 104413, 104414, 104777, and 104791. Múltiples vulnerabilidades de XSS en Zimbra Collaboration en versiones anteriores a 8.7.0 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, vulnerabilidades también conocidas como errores 103997, 104413, 104414, 104777 y 104791. • http://www.securityfocus.com/bid/95899 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.0 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3415
https://notcve.org/view.php?id=CVE-2016-3415
Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276. Zimbra Collaboration en versiones anteriores a 8.7.0 permite a atacantes remotos llevar a cabo ataques de deserialización a través de vectores no especificados, vulnerabilidad también conocida como error 102276. • http://www.securityfocus.com/bid/95917 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.0 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2016-3403 – Zimbra Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2016-3403
Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Patch 8 allow remote attackers to hijack the authentication of administrators for requests that (1) add, (2) modify, or (3) remove accounts by leveraging failure to use of a CSRF token and perform referer header checks, aka bugs 100885 and 100899. Múltiples vulnerabilidades de tipo cross-site request forgery (CSRF) en la Consola Administrativa en Zimbra Collaboration anterior a versión 8.6.0 Parche 8, permiten a los atacantes remotos secuestrar la autenticación de administradores para pedir que (1) agregue, (2) modifique o (3) elimine cuentas mediante el aprovechamiento de un fallo en el uso de un token CSRF y realizar comprobaciones de encabezado de referencia, también se conoce como errores 100885 y 100899. Zimbra versions prior to 8.7 suffer from cross site request forgery vulnerabilities in the administrative interface. • http://seclists.org/fulldisclosure/2017/Jan/30 http://www.securityfocus.com/bid/95383 https://bugzilla.zimbra.com/show_bug.cgi?id=100885 https://bugzilla.zimbra.com/show_bug.cgi?id=100899 https://sysdream.com/news/lab/2017-01-12-cve-2016-3403-multiple-csrf-in-zimbra-administration-interface https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6_Patch_8 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.0 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 97%CPEs: 16EXPL: 4CVE-2013-7091 – Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2013-7091
Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API. Vulnerabilidad de salto de directorio en /res/I18nMsg, AjxMsg, ZMsg, ZmMsg, AjxKeys, ZmKeys, ZdMsg, Ajx% 20TemplateMsg.js.zgz en Zimbra que permite a atacantes remotos leer archivos de su elección a través de .. (punto punto) en el parámetro skin. • https://www.exploit-db.com/exploits/30472 https://www.exploit-db.com/exploits/30085 http://osvdb.org/100747 http://packetstormsecurity.com/files/124321 http://www.exploit-db.com/exploits/30085 http://www.exploit-db.com/exploits/30472 http://www.securityfocus.com/bid/64149 https://exchange.xforce.ibmcloud.com/vulnerabilities/89527 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •