cbcvebase.

Synacor Zimbra Collaboration Suite vulnerabilities

82 known vulnerabilities affecting synacor/zimbra_collaboration_suite.

Total CVEs
82
CISA KEV
17
actively exploited
Public exploits
19
Exploited in wild
19
Severity breakdown
CRITICAL12HIGH18MEDIUM52

Vulnerabilities

Page 1 of 5
CVE-2022-41352P1CRITICALCVSS 9.8KEVPoCRansomwarev9.0.0v8.8.152022-09-26
CVE-2022-41352 [CRITICAL] CWE-22 CVE-2022-41352: An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitra An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu;
nvd
CVE-2024-45519P1CRITICALCVSS 9.8KEVPoCfixed in 8.8.15≥ 10.0.0, < 10.0.9+3 more2024-10-02
CVE-2024-45519 [CRITICAL] CWE-78 CVE-2024-45519: The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 4 The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
nvd
CVE-2022-37042P1CRITICALCVSS 9.8KEVPoCRansomwarev8.8.15v9.0.02022-08-12
CVE-2022-37042 [CRITICAL] CVE-2022-37042: Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP arc Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fi
nvd
CVE-2019-9670P1CRITICALCVSS 9.8KEVPoC≥ 8.7.0, < 8.7.11v8.7.112019-05-29
CVE-2019-9670 [CRITICAL] CWE-611 CVE-2019-9670: mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.
nvd
CVE-2022-27925P1HIGHCVSS 7.2KEVPoCRansomwarev8.8.15v9.0.02022-04-21
CVE-2022-27925 [HIGH] CWE-22 CVE-2022-27925: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archi Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
nvd
CVE-2020-7796P1CRITICALCVSS 9.8KEVPoCfixed in 8.8.15v8.8.152020-02-18
CVE-2020-7796 [CRITICAL] CWE-918 CVE-2020-7796: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed an Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
nvd
CVE-2022-27924P1HIGHCVSS 7.5KEVPoCRansomwarev8.8.15v9.0.02022-04-21
CVE-2022-27924 [HIGH] CWE-74 CVE-2022-27924: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.
nvd
CVE-2019-9621P1HIGHCVSS 7.5KEVPoCfixed in 8.6.0≥ 8.7.0, < 8.7.11+6 more2019-04-30
CVE-2019-9621 [HIGH] CWE-918 CVE-2019-9621: Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.1 Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
nvd
CVE-2025-68645P1HIGHCVSS 8.8KEVPoC≥ 10.0.0, < 10.0.18≥ 10.1.0, < 10.1.132025-12-22
CVE-2025-68645 [HIGH] CWE-98 CVE-2025-68645: A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of
nvd
CVE-2023-34192P1CRITICALCVSS 9.0KEVPoCv8.8.152023-07-06
CVE-2023-34192 [CRITICAL] CWE-79 CVE-2023-34192: Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
nvd
CVE-2023-37580P1MEDIUMCVSS 6.1KEVPoC≥ 8.8.0, < 8.8.15v8.8.152023-07-31
CVE-2023-37580 [MEDIUM] CWE-79 CVE-2023-37580: Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client. Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
nvd
CVE-2022-24682P1MEDIUMCVSS 6.1KEVPoCRansomware≥ 8.8.0, < 8.8.15v8.8.152022-02-09
CVE-2022-24682 [MEDIUM] CWE-116 CVE-2022-24682: An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 pa An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
nvd
CVE-2018-6882P1MEDIUMCVSS 6.1KEVPoCRansomwarefixed in 8.7.0v8.7.0+7 more2018-03-27
CVE-2018-6882 [MEDIUM] CWE-79 CVE-2018-6882: Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimb Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
nvd
CVE-2022-27926P1MEDIUMCVSS 6.1KEVPoCv9.0.02022-04-21
CVE-2022-27926 [MEDIUM] CWE-79 CVE-2022-27926: A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
nvd
CVE-2025-27915P2MEDIUMCVSS 5.4KEVPoC≥ 10.0.0, < 10.0.13≥ 10.1.0, < 10.1.5+1 more2025-03-12
CVE-2025-27915 [MEDIUM] CWE-79 CVE-2025-27915: An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scr An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event insi
nvd
CVE-2025-66376P2MEDIUMCVSS 6.1KEV≥ 10.0.0, < 10.0.18≥ 10.1.0, < 10.1.132026-01-05
CVE-2025-66376 [MEDIUM] CWE-79 CVE-2025-66376: Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS vi Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
nvd
CVE-2025-48700P2MEDIUMCVSS 6.1KEV≥ 10.0.0, < 10.0.12≥ 10.1.0, < 10.1.4+2 more2025-06-23
CVE-2025-48700 [MEDIUM] CWE-79 CVE-2025-48700: An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of
nvd
CVE-2013-7091P2MEDIUMCVSS 5.0ExploitedPoCv6.0.0v6.0.1+14 more2013-12-13
CVE-2013-7091 [MEDIUM] CWE-22 CVE-2013-7091: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20Templ Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API
nvd
CVE-2024-50599P2MEDIUMCVSS 6.1Exploitedv8.8.152024-11-07
CVE-2024-50599 [MEDIUM] CWE-79 CVE-2024-50599: A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Zimbra Collaboration Sui A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Zimbra Collaboration Suite (ZCS) 8.8.15, affecting one of the webmail calendar endpoints. This arises from improper handling of user-supplied input, allowing an attacker to inject malicious code that is reflected back in the HTML response.
nvd
CVE-2025-25064P2HIGHCVSS 8.8≥ 10.0.0, < 10.0.12≥ 10.1.0, < 10.1.42025-02-03
CVE-2025-25064 [HIGH] CWE-89 CVE-2025-25064: SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x b SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL querie
nvd
Synacor Zimbra Collaboration Suite vulnerabilities | cvebase