Search
Search Results (72 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11737 | 1 Zimbra | 1 Zimbra | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2. | ||||
| CVE-2020-10194 | 1 Zimbra | 1 Zm-mailbox | 2024-11-21 | 6.5 Medium |
| cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request. | ||||
| CVE-2019-8947 | 1 Zimbra | 1 Collaboration Server | 2024-11-21 | 6.1 Medium |
| Zimbra Collaboration 8.7.x - 8.8.11P2 contains non-persistent XSS. | ||||
| CVE-2019-8946 | 1 Zimbra | 1 Collaboration Server | 2024-11-21 | 6.1 Medium |
| Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. | ||||
| CVE-2019-8945 | 1 Zimbra | 1 Collaboration Server | 2024-11-21 | 6.1 Medium |
| Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. | ||||
| CVE-2019-15313 | 1 Zimbra | 1 Collaboration Server | 2024-11-21 | 6.1 Medium |
| In Zimbra Collaboration before 8.8.15 Patch 1, there is a non-persistent XSS vulnerability. | ||||
| CVE-2019-12427 | 1 Zimbra | 1 Collaboration Server | 2024-11-21 | 4.8 Medium |
| Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS via the Admin Console. | ||||
| CVE-2018-10939 | 2 Synacor, Zimbra | 2 Zimbra Collaboration Suite, Zimbra Collaboration Suite | 2024-11-21 | N/A |
| Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. | ||||
| CVE-2015-7610 | 2 Synacor, Zimbra | 2 Zimbra Collaboration Suite, Zimbra Collaboration Suite | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token. | ||||
| CVE-2013-1938 | 1 Zimbra | 1 Zimbra | 2024-11-21 | 6.1 Medium |
| Zimbra 2013 has XSS in aspell.php | ||||
| CVE-2024-45518 | 1 Zimbra | 1 Collaboration | 2024-10-30 | 7.5 High |
| An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE). | ||||
| CVE-2024-27442 | 1 Zimbra | 1 Collaboration | 2024-08-13 | 7.8 High |
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation. | ||||