This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Synacor First view 2020-02-18
Product Zimbra Collaboration Suite Last view 2022-10-17
Version 8.8.15 Type Application
Update p1  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:synacor:zimbra_collaboration_suite

Activity : Overall

Related : CVE

  Date Alert Description
7.8 2022-10-17 CVE-2022-3569

Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'.

6.1 2020-07-02 CVE-2020-13653

An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11. It allows an attacker to inject executable JavaScript into the account name of a user's profile. The injected code can be reflected and executed when changing an e-mail signature.

8 2020-06-03 CVE-2020-12846

Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.

5.3 2020-02-18 CVE-2020-8633

An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7. When grantors revoked a shared calendar in Outlook, the calendar stayed mounted and accessible.

9.8 2020-02-18 CVE-2020-7796

Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.

CWE : Common Weakness Enumeration

%idName
25% (1) CWE-434 Unrestricted Upload of File with Dangerous Type
25% (1) CWE-281 Improper Preservation of Permissions
25% (1) CWE-269 Improper Privilege Management
25% (1) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')