Filtered by vendor Zimbra
Subscriptions
Total
71 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-45515 | 1 Zimbra | 2 Zimbra, Zimbra Collaboration Suite | 2025-07-31 | 6.1 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type checks and execute arbitrary JavaScript within the victim's session. | ||||
| CVE-2022-27926 | 1 Zimbra | 1 Collaboration | 2025-07-30 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters. | ||||
| CVE-2022-24682 | 1 Zimbra | 1 Collaboration | 2025-07-30 | 6.1 Medium |
| An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. | ||||
| CVE-2022-27924 | 1 Zimbra | 1 Collaboration | 2025-07-30 | 7.5 High |
| Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries. | ||||
| CVE-2022-27925 | 1 Zimbra | 1 Collaboration | 2025-07-30 | 7.2 High |
| Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. | ||||
| CVE-2022-37042 | 1 Zimbra | 1 Collaboration | 2025-07-30 | 9.8 Critical |
| Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. | ||||
| CVE-2022-41352 | 1 Zimbra | 1 Collaboration | 2025-07-30 | 9.8 Critical |
| An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio. | ||||
| CVE-2023-34192 | 1 Zimbra | 1 Collaboration | 2025-07-30 | 9 Critical |
| Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. | ||||
| CVE-2023-37580 | 1 Zimbra | 1 Zimbra | 2025-07-30 | 6.1 Medium |
| Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client. | ||||
| CVE-2024-27443 | 1 Zimbra | 1 Collaboration | 2025-07-30 | 6.1 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code. | ||||
| CVE-2024-45519 | 1 Zimbra | 2 Collaboration, Zimbra Collaboration Suite | 2025-07-30 | 10 Critical |
| The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands. | ||||
| CVE-2025-53645 | 1 Zimbra | 1 Zimbra Collaboration Suite | 2025-07-22 | 7.5 High |
| Zimbra Collaboration (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in the Admin Console. An unauthenticated remote attacker can send specially crafted GET requests that trigger redundant processing and inflated responses. This leads to uncontrolled resource consumption, resulting in denial of service. | ||||
| CVE-2025-48700 | 2 Synacor, Zimbra | 2 Zimbra Collaboration Suite, Zimbra | 2025-07-11 | 6.1 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction. | ||||
| CVE-2017-20188 | 1 Zimbra | 1 Zm-ajax | 2025-06-03 | 2.6 Low |
| A vulnerability has been found in Zimbra zm-ajax up to 8.8.1 and classified as problematic. Affected by this vulnerability is the function XFormItem.prototype.setError of the file WebRoot/js/ajax/dwt/xforms/XFormItem.js. The manipulation of the argument message leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 8.8.2 is able to address this issue. The identifier of the patch is 8d039d6efe80780adc40c6f670c06d21de272105. It is recommended to upgrade the affected component. The identifier VDB-249421 was assigned to this vulnerability. | ||||
| CVE-2022-41347 | 1 Zimbra | 1 Collaboration | 2025-05-21 | 7.8 High |
| An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root. | ||||
| CVE-2022-41351 | 1 Zimbra | 1 Collaboration | 2025-05-15 | 6.1 Medium |
| In Zimbra Collaboration Suite (ZCS) 8.8.15, at the URL /h/calendar, one can trigger XSS by adding JavaScript code to the view parameter and changing the value of the uncheck parameter to a string (instead of default value of 10). | ||||
| CVE-2022-41350 | 1 Zimbra | 1 Collaboration | 2025-05-15 | 6.1 Medium |
| In Zimbra Collaboration Suite (ZCS) 8.8.15, /h/search?action=voicemail&action=listen accepts a phone parameter that is vulnerable to Reflected XSS. This allows executing arbitrary JavaScript on the victim's machine. | ||||
| CVE-2022-41349 | 1 Zimbra | 1 Collaboration | 2025-05-15 | 6.1 Medium |
| In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/compose accepts an attachUrl parameter that is vulnerable to Reflected XSS. This allows executing arbitrary JavaScript on the victim's machine. | ||||
| CVE-2022-41348 | 1 Zimbra | 1 Collaboration | 2025-05-15 | 6.1 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur via the onerror attribute of an IMG element, leading to information disclosure. | ||||
| CVE-2023-45206 | 1 Zimbra | 1 Collaboration | 2025-05-07 | 6.1 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. Through the help document endpoint in webmail, an attacker can inject JavaScript or HTML code that leads to cross-site scripting (XSS). (Adding an adequate message to avoid malicious code will mitigate this issue.) | ||||