CVSS: 7.5EPSS: 0%CPEs: 29EXPL: 0CVE-2023-38750
https://notcve.org/view.php?id=CVE-2023-38750
In Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41, 9 before 9.0.0 Patch 34, and 10 before 10.0.2, internal JSP and XML files can be exposed. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy •
CVSS: 6.1EPSS: 30%CPEs: 14EXPL: 0CVE-2023-37580 – Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2023-37580
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client. Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability impacting the confidentiality and integrity of data. • http://www.openwall.com/lists/oss-security/2023/11/17/2 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11737
https://notcve.org/view.php?id=CVE-2020-11737
A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2. Una vulnerabilidad de tipo cross-site scripting (XSS) en Web Client en Zimbra versión 9.0, permite a un atacante remoto diseñar enlaces en un mensaje de Correo Electrónico o en un calendario que invite a ejecutar JavaScript arbitrario. El ataque requiere un elemento A que contiene un atributo href con una subcadena "www" (incluyendo las comillas) seguido inmediatamente por un escuchador de eventos DOM tal y como onmouseover. • https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2 https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 3CVE-2013-1938 – Zimbra - 'aspell.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-1938
Zimbra 2013 has XSS in aspell.php Zimbra 2013, presenta una vulnerabilidad de tipo XSS en el archivo aspell.php. • https://www.exploit-db.com/exploits/38436 http://www.openwall.com/lists/oss-security/2013/04/09/14 http://www.openwall.com/lists/oss-security/2013/04/09/15 http://www.securityfocus.com/bid/58913 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-10939
https://notcve.org/view.php?id=CVE-2018-10939
Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. Zimbra Web Client (ZWC) en Zimbra Collaboration Suite en versiones 8.8 anteriores a la 8.8.8.Patch4 y versiones 8.7 anteriores a la 8.7.11.Patch4 tiene Cross-Site Scripting (XSS) persistente mediante un grupo de contactos. • https://blog.zimbra.com/2018/05/new-zimbra-patches-8-8-8-patch-4-and-8-7-11-patch-4 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •