CVSS: 6.5EPSS: %CPEs: 1EXPL: 0CVE-2024-9665 – Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-9665
Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious email message. The specific flaw exists within the implementation of the graphql endpoint. The issue results from the lack of proper protections against cross-site request forgery (CSRF) attacks. An attacker can leverage this vulnerability to disclose information in the context of the target email account. • https://blog.zimbra.com/2024/10/new-patch-release-reminders-for-missing-attachments-out-of-office-notifications-traffic-light-protocol-tlp-and-mailto-links https://www.zerodayinitiative.com/advisories/ZDI-24-1369 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 76%CPEs: 82EXPL: 3CVE-2024-45519 – Synacor Zimbra Collaboration Command Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-45519
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands. El servicio postjournal en Zimbra Collaboration (ZCS) anterior a la versión 8.8.15 parche 46, 9 anterior a la versión 9.0.0 parche 41, 10 anterior a la versión 10.0.9 y 10.1 anterior a la versión 10.1.1 a veces permite que usuarios no autenticados ejecuten comandos. Synacor Zimbra Collaboration contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands. • https://github.com/Chocapikk/CVE-2024-45519 https://github.com/p33d/CVE-2024-45519 https://github.com/TOB1a3/CVE-2024-45519-PoC https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes https://wiki.zimbra.com/wiki&# • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-863: Incorrect Authorization •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2017-20191 – Zimbra zm-admin-ajax Form Textbox Field Error XFormItem.js XFormItem.prototype.setError cross site scripting
https://notcve.org/view.php?id=CVE-2017-20191
A vulnerability was found in Zimbra zm-admin-ajax up to 8.8.1. It has been classified as problematic. This affects the function XFormItem.prototype.setError of the file WebRoot/js/ajax/dwt/xforms/XFormItem.js of the component Form Textbox Field Error Handler. The manipulation of the argument message leads to cross site scripting. It is possible to initiate the attack remotely. • https://github.com/Zimbra/zm-admin-ajax/commit/bb240ce0c71c01caabaa43eed30c78ba8d7d3591 https://github.com/Zimbra/zm-admin-ajax/releases/tag/8.8.2 https://vuldb.com/?ctiid.258621 https://vuldb.com/?id.258621 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2017-20188 – Zimbra zm-ajax XFormItem.js XFormItem.prototype.setError cross site scripting
https://notcve.org/view.php?id=CVE-2017-20188
A vulnerability has been found in Zimbra zm-ajax up to 8.8.1 and classified as problematic. Affected by this vulnerability is the function XFormItem.prototype.setError of the file WebRoot/js/ajax/dwt/xforms/XFormItem.js. The manipulation of the argument message leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. • https://github.com/Zimbra/zm-ajax/commit/8d039d6efe80780adc40c6f670c06d21de272105 https://github.com/Zimbra/zm-ajax/releases/tag/8.8.2 https://vuldb.com/?ctiid.249421 https://vuldb.com/?id.249421 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 71EXPL: 0CVE-2023-41106
https://notcve.org/view.php?id=CVE-2023-41106
An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.3. An attacker can gain access to a Zimbra account. This is also fixed in 9.0.0 Patch 35 and 8.8.15 Patch 42. Se descubrió un problema en Zimbra Collaboration (ZCS) antes de 10.0.3. Un atacante puede obtener acceso a una cuenta de Zimbra. • http://www.openwall.com/lists/oss-security/2023/11/17/2 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories •