CVSS: 7.5EPSS: 0%CPEs: 29EXPL: 0CVE-2023-38750
https://notcve.org/view.php?id=CVE-2023-38750
In Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41, 9 before 9.0.0 Patch 34, and 10 before 10.0.2, internal JSP and XML files can be exposed. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11737
https://notcve.org/view.php?id=CVE-2020-11737
A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2. Una vulnerabilidad de tipo cross-site scripting (XSS) en Web Client en Zimbra versión 9.0, permite a un atacante remoto diseñar enlaces en un mensaje de Correo Electrónico o en un calendario que invite a ejecutar JavaScript arbitrario. El ataque requiere un elemento A que contiene un atributo href con una subcadena "www" (incluyendo las comillas) seguido inmediatamente por un escuchador de eventos DOM tal y como onmouseover. • https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2 https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •