Zimbra: Security Vulnerabilities
An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
CVSS Score
5.4
EPSS Score
0.013
Published
2021-07-02
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).
CVSS Score
9.8
EPSS Score
0.027
Published
2021-07-02
In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17.
CVSS Score
6.5
EPSS Score
0.008
Published
2020-12-17
A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2.
CVSS Score
6.1
EPSS Score
0.021
Published
2020-05-05
cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-03-20
Zimbra 2013 has XSS in aspell.php
CVSS Score
6.1
EPSS Score
0.023
Published
2020-02-12
In Zimbra Collaboration before 8.8.15 Patch 1, there is a non-persistent XSS vulnerability.
CVSS Score
6.1
EPSS Score
0.022
Published
2020-01-27
Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS.
CVSS Score
6.1
EPSS Score
0.023
Published
2020-01-27
Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS.
CVSS Score
6.1
EPSS Score
0.023
Published
2020-01-27
Zimbra Collaboration 8.7.x - 8.8.11P2 contains non-persistent XSS.
CVSS Score
6.1
EPSS Score
0.023
Published
2020-01-27