Vulnerabilites related to Zimbra - Zimbra
Vulnerability from fkie_nvd
Published
2020-02-12 16:15
Modified
2024-11-21 01:50
Severity ?
Summary
Zimbra 2013 has XSS in aspell.php
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2013/04/09/14 | Exploit, Mailing List, Patch, Third Party Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2013/04/09/15 | Exploit, Mailing List, Patch, Third Party Advisory | |
| secalert@redhat.com | http://www.securityfocus.com/bid/58913 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2013/04/09/14 | Exploit, Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2013/04/09/15 | Exploit, Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/58913 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zimbra:zimbra:2013:*:*:*:*:*:*:*",
"matchCriteriaId": "64EA6807-9106-46CB-B625-1DF8193C4D0F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zimbra 2013 has XSS in aspell.php"
},
{
"lang": "es",
"value": "Zimbra 2013, presenta una vulnerabilidad de tipo XSS en el archivo aspell.php."
}
],
"id": "CVE-2013-1938",
"lastModified": "2024-11-21T01:50:42.773",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-12T16:15:10.363",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/14"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/15"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/58913"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/58913"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-31 16:15
Modified
2025-01-27 21:55
Severity ?
Summary
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zimbra | zimbra | * | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 |
{
"cisaActionDue": "2023-08-17",
"cisaExploitAdd": "2023-07-27",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38ECDB77-75C2-4F1F-94A8-D0F7CAC58427",
"versionEndExcluding": "8.8.15",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p11:*:*:*:*:*:*",
"matchCriteriaId": "D94082EB-9245-421E-A195-659ED7E97FBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p26:*:*:*:*:*:*",
"matchCriteriaId": "F10A5925-168E-45E8-888E-E4042A1406A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p3:*:*:*:*:*:*",
"matchCriteriaId": "074B9DC0-1700-4C29-B332-093FEA785D39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p30:*:*:*:*:*:*",
"matchCriteriaId": "85C96088-3631-4CAE-BA6C-9E7A12EC455F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p31:*:*:*:*:*:*",
"matchCriteriaId": "BCB801E7-C9C5-42FC-A4C3-CECD9F21887B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p32:*:*:*:*:*:*",
"matchCriteriaId": "A22C14E7-34AE-438C-9E2A-DA4BF07889D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p33:*:*:*:*:*:*",
"matchCriteriaId": "B5251B9B-87EF-4300-A791-8C2BB2B58FA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p34:*:*:*:*:*:*",
"matchCriteriaId": "C9795188-0A57-48A6-B876-0A2477888D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p35:*:*:*:*:*:*",
"matchCriteriaId": "4288C356-C993-486F-B3CF-D8E44A7A53C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p37:*:*:*:*:*:*",
"matchCriteriaId": "7A98258E-91BA-45F0-8417-6FFB3CF02FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p38:*:*:*:*:*:*",
"matchCriteriaId": "3EFD7BC4-0284-4551-972C-81DD7F225DA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p40:*:*:*:*:*:*",
"matchCriteriaId": "ACA5EA7B-95A3-49E9-A407-A034279173FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p5:*:*:*:*:*:*",
"matchCriteriaId": "9F670A63-D8E9-4360-83CF-5C5D3D8B569E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client."
}
],
"id": "CVE-2023-37580",
"lastModified": "2025-01-27T21:55:19.183",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-31T16:15:10.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/17/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/17/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-31 16:15
Modified
2024-11-21 08:14
Severity ?
Summary
In Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41, 9 before 9.0.0 Patch 34, and 10 before 10.0.2, internal JSP and XML files can be exposed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://wiki.zimbra.com/wiki/Security_Center | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.zimbra.com/wiki/Security_Center | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy | Not Applicable |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zimbra | zimbra | * | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 8.8.15 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 10.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38ECDB77-75C2-4F1F-94A8-D0F7CAC58427",
"versionEndExcluding": "8.8.15",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p11:*:*:*:*:*:*",
"matchCriteriaId": "D94082EB-9245-421E-A195-659ED7E97FBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p26:*:*:*:*:*:*",
"matchCriteriaId": "F10A5925-168E-45E8-888E-E4042A1406A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p3:*:*:*:*:*:*",
"matchCriteriaId": "074B9DC0-1700-4C29-B332-093FEA785D39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p30:*:*:*:*:*:*",
"matchCriteriaId": "85C96088-3631-4CAE-BA6C-9E7A12EC455F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p31:*:*:*:*:*:*",
"matchCriteriaId": "BCB801E7-C9C5-42FC-A4C3-CECD9F21887B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p32:*:*:*:*:*:*",
"matchCriteriaId": "A22C14E7-34AE-438C-9E2A-DA4BF07889D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p33:*:*:*:*:*:*",
"matchCriteriaId": "B5251B9B-87EF-4300-A791-8C2BB2B58FA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p34:*:*:*:*:*:*",
"matchCriteriaId": "C9795188-0A57-48A6-B876-0A2477888D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p35:*:*:*:*:*:*",
"matchCriteriaId": "4288C356-C993-486F-B3CF-D8E44A7A53C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p37:*:*:*:*:*:*",
"matchCriteriaId": "7A98258E-91BA-45F0-8417-6FFB3CF02FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p38:*:*:*:*:*:*",
"matchCriteriaId": "3EFD7BC4-0284-4551-972C-81DD7F225DA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p40:*:*:*:*:*:*",
"matchCriteriaId": "ACA5EA7B-95A3-49E9-A407-A034279173FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:8.8.15:p5:*:*:*:*:*:*",
"matchCriteriaId": "9F670A63-D8E9-4360-83CF-5C5D3D8B569E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B671A427-BC20-43CB-A7F1-DD2124B2B901",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p0:*:*:*:*:*:*",
"matchCriteriaId": "631ADC21-06BA-476D-B134-E25D06740019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p19:*:*:*:*:*:*",
"matchCriteriaId": "92C99D34-300D-4AC6-9D75-538621978E38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p23:*:*:*:*:*:*",
"matchCriteriaId": "D949B9A3-4E4F-45FC-93AB-478B77C6F7AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p25:*:*:*:*:*:*",
"matchCriteriaId": "0BDA3621-F2AA-4E55-8641-A30B9A3DCF8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p26:*:*:*:*:*:*",
"matchCriteriaId": "3A29151F-9083-45B7-8C1E-A844372C01C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p27:*:*:*:*:*:*",
"matchCriteriaId": "E35B7C01-F288-47D6-8C43-50FC6F6FEA7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p28:*:*:*:*:*:*",
"matchCriteriaId": "40687633-0902-4D3E-8C7B-AE9318EB9DAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p30:*:*:*:*:*:*",
"matchCriteriaId": "8091130D-23B8-4271-9164-2279C14CBE7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p31:*:*:*:*:*:*",
"matchCriteriaId": "B40F5F01-E7DC-4399-8F9E-2341069FD555",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p33:*:*:*:*:*:*",
"matchCriteriaId": "C8B3E761-6A2D-4AC1-8B46-B04196135A51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "8A3B019E-A357-4F7E-8DB5-336B3209D130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "E88525DC-A672-40E8-A756-43DD3E9685CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p7.1:*:*:*:*:*:*",
"matchCriteriaId": "482EC153-BE0F-4B8B-8AC0-0D2CC3A94752",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:10.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A092529-4EF6-45CC-A56B-BC9255E97F6D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41, 9 before 9.0.0 Patch 34, and 10 before 10.0.2, internal JSP and XML files can be exposed."
}
],
"id": "CVE-2023-38750",
"lastModified": "2024-11-21T08:14:10.380",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-31T16:15:10.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-05 15:15
Modified
2024-11-21 04:58
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B671A427-BC20-43CB-A7F1-DD2124B2B901",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a \"www\" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en Web Client en Zimbra versi\u00f3n 9.0, permite a un atacante remoto dise\u00f1ar enlaces en un mensaje de Correo Electr\u00f3nico o en un calendario que invite a ejecutar JavaScript arbitrario. El ataque requiere un elemento A que contiene un atributo href con una subcadena \"www\" (incluyendo las comillas) seguido inmediatamente por un escuchador de eventos DOM tal y como onmouseover. Esto es corregido en la versi\u00f3n 9.0.0 Parche 2."
}
],
"id": "CVE-2020-11737",
"lastModified": "2024-11-21T04:58:30.990",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-05T15:15:12.280",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-02-24 13:55
Modified
2024-11-21 01:36
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbra Web Client in Zimbra Collaboration Suite (ZCS) 6.x before 6.0.15 and 7.x before 7.1.3 allows remote attackers to inject arbitrary web script or HTML via the view parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56F19372-2066-431F-B96E-D4D89BCB67BB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbra Web Client in Zimbra Collaboration Suite (ZCS) 6.x before 6.0.15 and 7.x before 7.1.3 allows remote attackers to inject arbitrary web script or HTML via the view parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en zimbra/h/calendar en Zimbra Web Client en Zimbra Collaboration Suite (ZCS) en versiones 6.x anteriores a la 6.0.15 y 7.x anteriores a la 7.1.3 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el par\u00e1metro view."
}
],
"id": "CVE-2012-1213",
"lastModified": "2024-11-21T01:36:40.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-02-24T13:55:07.907",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/109710/Zimbra-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://st2tea.blogspot.com/2012/02/zimbra-cross-site-scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/51974"
},
{
"source": "cve@mitre.org",
"url": "https://bugzilla.zimbra.com/show_bug.cgi?id=63849"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73168"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/109710/Zimbra-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://st2tea.blogspot.com/2012/02/zimbra-cross-site-scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/51974"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.zimbra.com/show_bug.cgi?id=63849"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73168"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-22 21:15
Modified
2025-01-03 21:58
Severity ?
Summary
Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious email message.
The specific flaw exists within the implementation of the graphql endpoint. The issue results from the lack of proper protections against cross-site request forgery (CSRF) attacks. An attacker can leverage this vulnerability to disclose information in the context of the target email account. Was ZDI-CAN-23939.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zimbra | zimbra | * | |
| zimbra | zimbra | * | |
| zimbra | zimbra | * | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 | |
| zimbra | zimbra | 9.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C47C7E67-6EA3-44B6-BEBF-40ECEFB79E5F",
"versionEndExcluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41231D6B-A378-4370-8F58-756F0CCE4063",
"versionEndExcluding": "10.0.10",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59CCEE82-EC97-4519-9890-A41A78DF6BF1",
"versionEndExcluding": "10.1.2",
"versionStartIncluding": "10.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p0:*:*:*:*:*:*",
"matchCriteriaId": "631ADC21-06BA-476D-B134-E25D06740019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p19:*:*:*:*:*:*",
"matchCriteriaId": "92C99D34-300D-4AC6-9D75-538621978E38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p23:*:*:*:*:*:*",
"matchCriteriaId": "D949B9A3-4E4F-45FC-93AB-478B77C6F7AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p25:*:*:*:*:*:*",
"matchCriteriaId": "0BDA3621-F2AA-4E55-8641-A30B9A3DCF8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p26:*:*:*:*:*:*",
"matchCriteriaId": "3A29151F-9083-45B7-8C1E-A844372C01C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p27:*:*:*:*:*:*",
"matchCriteriaId": "E35B7C01-F288-47D6-8C43-50FC6F6FEA7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p28:*:*:*:*:*:*",
"matchCriteriaId": "40687633-0902-4D3E-8C7B-AE9318EB9DAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p30:*:*:*:*:*:*",
"matchCriteriaId": "8091130D-23B8-4271-9164-2279C14CBE7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p31:*:*:*:*:*:*",
"matchCriteriaId": "B40F5F01-E7DC-4399-8F9E-2341069FD555",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p33:*:*:*:*:*:*",
"matchCriteriaId": "C8B3E761-6A2D-4AC1-8B46-B04196135A51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p34:*:*:*:*:*:*",
"matchCriteriaId": "EB9B3E42-A399-4F96-ABAD-F21CF48AFF30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p35:*:*:*:*:*:*",
"matchCriteriaId": "E9AF56CC-E13D-46EA-BDF3-95417FEA4A32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p36:*:*:*:*:*:*",
"matchCriteriaId": "F77F73B1-F4B0-416C-8411-B889E908E357",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p37:*:*:*:*:*:*",
"matchCriteriaId": "2C4EB21D-AD23-471E-BCC1-F132E419DB4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p38:*:*:*:*:*:*",
"matchCriteriaId": "29D07F52-8E7B-444F-892A-A027A5E17650",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p39:*:*:*:*:*:*",
"matchCriteriaId": "1FB6A28B-F881-403C-B89C-A0667603F6E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "8A3B019E-A357-4F7E-8DB5-336B3209D130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p40:*:*:*:*:*:*",
"matchCriteriaId": "6CF47F57-2BE7-44A7-949E-85861EBC4AA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p41:*:*:*:*:*:*",
"matchCriteriaId": "88E3601D-9029-44B8-93CB-4603885B21BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "E88525DC-A672-40E8-A756-43DD3E9685CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zimbra:zimbra:9.0.0:p7.1:*:*:*:*:*:*",
"matchCriteriaId": "482EC153-BE0F-4B8B-8AC0-0D2CC3A94752",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious email message.\n\nThe specific flaw exists within the implementation of the graphql endpoint. The issue results from the lack of proper protections against cross-site request forgery (CSRF) attacks. An attacker can leverage this vulnerability to disclose information in the context of the target email account. Was ZDI-CAN-23939."
},
{
"lang": "es",
"value": "Vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n mediante Cross-Site Request Forgery en Zimbra GraphQL. Esta vulnerabilidad permite a atacantes remotos divulgar informaci\u00f3n confidencial sobre las instalaciones afectadas de Zimbra. Se requiere la interacci\u00f3n del usuario para explotar esta vulnerabilidad, ya que el objetivo debe abrir un mensaje de correo electr\u00f3nico malicioso. La falla espec\u00edfica existe dentro de la implementaci\u00f3n del endpoint GraphQL. El problema es el resultado de la falta de protecciones adecuadas contra ataques de Cross-Site Request Forgery (CSRF). Un atacante puede aprovechar esta vulnerabilidad para divulgar informaci\u00f3n en el contexto de la cuenta de correo electr\u00f3nico de destino. Era ZDI-CAN-23939."
}
],
"id": "CVE-2024-9665",
"lastModified": "2025-01-03T21:58:29.893",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "zdi-disclosures@trendmicro.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-22T21:15:23.923",
"references": [
{
"source": "zdi-disclosures@trendmicro.com",
"tags": [
"Release Notes"
],
"url": "https://blog.zimbra.com/2024/10/new-patch-release-reminders-for-missing-attachments-out-of-office-notifications-traffic-light-protocol-tlp-and-mailto-links/"
},
{
"source": "zdi-disclosures@trendmicro.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1369/"
}
],
"sourceIdentifier": "zdi-disclosures@trendmicro.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "zdi-disclosures@trendmicro.com",
"type": "Primary"
}
]
}
cve-2012-1213
Vulnerability from cvelistv5
Published
2012-02-20 19:00
Modified
2024-08-06 18:53
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbra Web Client in Zimbra Collaboration Suite (ZCS) 6.x before 6.0.15 and 7.x before 7.1.3 allows remote attackers to inject arbitrary web script or HTML via the view parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/73168 | vdb-entry, x_refsource_XF | |
| http://packetstormsecurity.org/files/109710/Zimbra-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/51974 | vdb-entry, x_refsource_BID | |
| https://bugzilla.zimbra.com/show_bug.cgi?id=63849 | x_refsource_CONFIRM | |
| http://st2tea.blogspot.com/2012/02/zimbra-cross-site-scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:53:36.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "zimbra-view-xss(73168)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73168"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/109710/Zimbra-Cross-Site-Scripting.html"
},
{
"name": "51974",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/51974"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.zimbra.com/show_bug.cgi?id=63849"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://st2tea.blogspot.com/2012/02/zimbra-cross-site-scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-02-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbra Web Client in Zimbra Collaboration Suite (ZCS) 6.x before 6.0.15 and 7.x before 7.1.3 allows remote attackers to inject arbitrary web script or HTML via the view parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-17T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "zimbra-view-xss(73168)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73168"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/109710/Zimbra-Cross-Site-Scripting.html"
},
{
"name": "51974",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/51974"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.zimbra.com/show_bug.cgi?id=63849"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://st2tea.blogspot.com/2012/02/zimbra-cross-site-scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-1213",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbra Web Client in Zimbra Collaboration Suite (ZCS) 6.x before 6.0.15 and 7.x before 7.1.3 allows remote attackers to inject arbitrary web script or HTML via the view parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "zimbra-view-xss(73168)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73168"
},
{
"name": "http://packetstormsecurity.org/files/109710/Zimbra-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/109710/Zimbra-Cross-Site-Scripting.html"
},
{
"name": "51974",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/51974"
},
{
"name": "https://bugzilla.zimbra.com/show_bug.cgi?id=63849",
"refsource": "CONFIRM",
"url": "https://bugzilla.zimbra.com/show_bug.cgi?id=63849"
},
{
"name": "http://st2tea.blogspot.com/2012/02/zimbra-cross-site-scripting.html",
"refsource": "MISC",
"url": "http://st2tea.blogspot.com/2012/02/zimbra-cross-site-scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-1213",
"datePublished": "2012-02-20T19:00:00",
"dateReserved": "2012-02-20T00:00:00",
"dateUpdated": "2024-08-06T18:53:36.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-9665
Vulnerability from cvelistv5
Published
2024-11-22 21:02
Modified
2024-11-23 01:26
Severity ?
EPSS score ?
Summary
Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious email message.
The specific flaw exists within the implementation of the graphql endpoint. The issue results from the lack of proper protections against cross-site request forgery (CSRF) attacks. An attacker can leverage this vulnerability to disclose information in the context of the target email account. Was ZDI-CAN-23939.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9665",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-23T01:19:46.807745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-23T01:26:27.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Zimbra",
"vendor": "Zimbra",
"versions": [
{
"status": "affected",
"version": "10.0.8"
}
]
}
],
"dateAssigned": "2024-10-08T17:22:05.123-05:00",
"datePublic": "2024-10-11T17:03:24.864-05:00",
"descriptions": [
{
"lang": "en",
"value": "Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious email message.\n\nThe specific flaw exists within the implementation of the graphql endpoint. The issue results from the lack of proper protections against cross-site request forgery (CSRF) attacks. An attacker can leverage this vulnerability to disclose information in the context of the target email account. Was ZDI-CAN-23939."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T21:02:44.953Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-1369",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1369/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://blog.zimbra.com/2024/10/new-patch-release-reminders-for-missing-attachments-out-of-office-notifications-traffic-light-protocol-tlp-and-mailto-links/"
}
],
"source": {
"lang": "en",
"value": "Anonymous"
},
"title": "Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-9665",
"datePublished": "2024-11-22T21:02:44.953Z",
"dateReserved": "2024-10-08T22:22:05.000Z",
"dateUpdated": "2024-11-23T01:26:27.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-38750
Vulnerability from cvelistv5
Published
2023-07-31 00:00
Modified
2024-10-22 17:42
Severity ?
EPSS score ?
Summary
In Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41, 9 before 9.0.0 Patch 34, and 10 before 10.0.2, internal JSP and XML files can be exposed.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:54:38.374Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"tags": [
"x_transferred"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T17:42:28.501136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T17:42:37.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41, 9 before 9.0.0 Patch 34, and 10 before 10.0.2, internal JSP and XML files can be exposed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-31T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38750",
"datePublished": "2023-07-31T00:00:00",
"dateReserved": "2023-07-25T00:00:00",
"dateUpdated": "2024-10-22T17:42:37.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-11737
Vulnerability from cvelistv5
Published
2020-05-05 14:08
Modified
2024-08-04 11:41
Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories | x_refsource_MISC | |
| https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/ | x_refsource_CONFIRM | |
| https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:41:58.246Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a \"www\" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-05T14:08:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a \"www\" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
"refsource": "MISC",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
},
{
"name": "https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/",
"refsource": "CONFIRM",
"url": "https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/"
},
{
"name": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2",
"refsource": "MISC",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11737",
"datePublished": "2020-05-05T14:08:15",
"dateReserved": "2020-04-13T00:00:00",
"dateUpdated": "2024-08-04T11:41:58.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-37580
Vulnerability from cvelistv5
Published
2023-07-31 00:00
Modified
2025-01-27 22:25
Severity ?
EPSS score ?
Summary
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"tags": [
"x_transferred"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
},
{
"name": "[oss-security] 20231117 CVE-2023-37580 (and others): XSS vulnerabilities in Zimbra Collaboration Suite",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/17/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37580",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T22:24:58.396885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-07-27",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-37580"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T22:25:05.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-17T15:06:12.780Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
},
{
"name": "[oss-security] 20231117 CVE-2023-37580 (and others): XSS vulnerabilities in Zimbra Collaboration Suite",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/17/2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-37580",
"datePublished": "2023-07-31T00:00:00.000Z",
"dateReserved": "2023-07-07T00:00:00.000Z",
"dateUpdated": "2025-01-27T22:25:05.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1938
Vulnerability from cvelistv5
Published
2020-02-12 15:02
Modified
2024-08-06 15:20
Severity ?
EPSS score ?
Summary
Zimbra 2013 has XSS in aspell.php
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/58913 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/04/09/14 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/04/09/15 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/58913"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/14"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zimbra",
"vendor": "Zimbra",
"versions": [
{
"status": "affected",
"version": "2013"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zimbra 2013 has XSS in aspell.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-12T15:02:24",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/58913"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/14"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1938",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zimbra",
"version": {
"version_data": [
{
"version_value": "2013"
}
]
}
}
]
},
"vendor_name": "Zimbra"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zimbra 2013 has XSS in aspell.php"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.securityfocus.com/bid/58913",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/58913"
},
{
"name": "http://www.openwall.com/lists/oss-security/2013/04/09/14",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/14"
},
{
"name": "http://www.openwall.com/lists/oss-security/2013/04/09/15",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2013/04/09/15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1938",
"datePublished": "2020-02-12T15:02:24",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}