cbcvebase.

Zimbra Collaboration vulnerabilities

43 known vulnerabilities affecting zimbra/collaboration.

Total CVEs
43
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL4HIGH10MEDIUM29

Vulnerabilities

Page 2 of 3
CVE-2024-33536P4MEDIUMCVSS 5.4≥ 10.0.0, < 10.0.8v9.0.02024-08-12
CVE-2024-33536 [MEDIUM] CWE-79 CVE-2024-33536: An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file, accessible externally, a
nvd
CVE-2021-34807P4MEDIUMCVSS 6.1fixed in 8.8.15v8.8.15+1 more2021-07-02
CVE-2021-34807 [MEDIUM] CWE-601 CVE-2021-34807: An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL via isredirect=1&redirectURL= in conjunction with th
nvd
CVE-2023-50808P4MEDIUMCVSS 6.1fixed in 9.0.0v9.0.02024-02-13
CVE-2023-50808 [MEDIUM] CWE-79 CVE-2023-50808: Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Mo Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Modern UI.
nvd
CVE-2023-43102P4MEDIUMCVSS 6.1fixed in 8.8.15≥ 10.0.0, < 10.0.4+2 more2023-12-07
CVE-2023-43102 [MEDIUM] CWE-79 CVE-2023-43102: An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.4. An XSS issue can be exploited t An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.4. An XSS issue can be exploited to access the mailbox of an authenticated user. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36.
nvd
CVE-2024-45515P4MEDIUMCVSS 6.1≤ 10.1.02025-07-30
CVE-2024-45515 [MEDIUM] CWE-79 CVE-2024-45515: An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vul An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type
nvd
CVE-2021-35208P4MEDIUMCVSS 5.4≥ 8.8, < 8.8.15v8.8.152021-07-02
CVE-2021-35208 [MEDIUM] CWE-79 CVE-2021-35208: An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
nvd
CVE-2022-37043P4MEDIUMCVSS 5.7v8.8.15v9.0.02022-08-12
CVE-2022-37043 [MEDIUM] CWE-352 CVE-2022-37043: An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the requ
nvd
CVE-2025-62763P4MEDIUMCVSS 5.0fixed in 10.1.122025-10-21
CVE-2025-62763 [MEDIUM] CWE-918 CVE-2025-62763: Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy.
nvd
CVE-2023-48432P4MEDIUMCVSS 6.1≥ 10.0.0, < 10.0.6v8.8.15+1 more2024-02-13
CVE-2023-48432 [MEDIUM] CWE-79 CVE-2023-48432: An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. XSS, with resultant ses An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. XSS, with resultant session stealing, can occur via JavaScript code in a link (for a webmail redirection endpoint) within en email message, e.g., if a victim clicks on that link within Zimbra webmail.
nvd
CVE-2023-24031P4MEDIUMCVSS 6.1v9.0.02023-06-15
CVE-2023-24031 [MEDIUM] CWE-79 CVE-2023-24031: An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 8.8.15. XSS can occur, via one of attr An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 8.8.15. XSS can occur, via one of attributes of the webmail /h/ endpoint, to execute arbitrary JavaScript code, leading to information disclosure.
nvd
CVE-2023-24030P4MEDIUMCVSS 6.1v8.8.15v9.0.02023-06-15
CVE-2023-24030 [MEDIUM] CVE-2023-24030: An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0 and 8.8.15. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL if url sanitisation is bypassed in incoming reque
nvd
CVE-2025-67809P4MEDIUMCVSS 4.7≥ 10.0.0, < 10.1.132025-12-15
CVE-2025-67809 [MEDIUM] CWE-798 CVE-2025-67809: An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with acce
nvd
CVE-2023-43103P4MEDIUMCVSS 6.1fixed in 8.8.15≥ 10.0.0, < 10.0.4+2 more2023-12-07
CVE-2023-43103 [MEDIUM] CWE-79 CVE-2023-43103: An XSS issue was discovered in a web endpoint in Zimbra Collaboration (ZCS) before 10.0.4 via an uns An XSS issue was discovered in a web endpoint in Zimbra Collaboration (ZCS) before 10.0.4 via an unsanitized parameter. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36.
nvd
CVE-2022-45911P4MEDIUMCVSS 6.1v9.0.02023-01-06
CVE-2022-45911 [MEDIUM] CWE-79 CVE-2022-45911: An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur on the Classic UI login pag An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur on the Classic UI login page by injecting arbitrary JavaScript code in the username field. This occurs before the user logs into the system, which means that even if the attacker executes arbitrary JavaScript, they will not get any sensitive information.
nvd
CVE-2022-45913P4MEDIUMCVSS 6.1v8.8.15v9.0.02023-01-06
CVE-2022-45913 [MEDIUM] CWE-79 CVE-2022-45913: An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur via one of attributes in we An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur via one of attributes in webmail URLs to execute arbitrary JavaScript code, leading to information disclosure.
nvd
CVE-2022-41351P4MEDIUMCVSS 6.1v8.8.152022-10-12
CVE-2022-41351 [MEDIUM] CWE-79 CVE-2022-41351: In Zimbra Collaboration Suite (ZCS) 8.8.15, at the URL /h/calendar, one can trigger XSS by adding Ja In Zimbra Collaboration Suite (ZCS) 8.8.15, at the URL /h/calendar, one can trigger XSS by adding JavaScript code to the view parameter and changing the value of the uncheck parameter to a string (instead of default value of 10).
nvd
CVE-2022-37044P4MEDIUMCVSS 6.1v8.8.152022-08-12
CVE-2022-37044 [MEDIUM] CWE-79 CVE-2022-37044: In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/search?action accepts parameters called ex In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/search?action accepts parameters called extra, title, and onload that are partially sanitised and lead to reflected XSS that allows executing arbitrary JavaScript on the victim's machine.
nvd
CVE-2022-41349P4MEDIUMCVSS 6.1v8.8.152022-10-12
CVE-2022-41349 [MEDIUM] CWE-79 CVE-2022-41349: In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/compose accepts an attachUrl parameter tha In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/compose accepts an attachUrl parameter that is vulnerable to Reflected XSS. This allows executing arbitrary JavaScript on the victim's machine.
nvd
CVE-2024-33533P4MEDIUMCVSS 5.4≥ 10.0.0, < 10.0.8v9.0.02024-08-12
CVE-2024-33533 [MEDIUM] CWE-79 CVE-2024-33533: An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross- An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authenticated attacker to inject and execute arbitrary Jav
nvd
CVE-2023-45206P4MEDIUMCVSS 6.1≥ 10.0.0, < 10.0.5v8.8.15+1 more2024-02-13
CVE-2023-45206 [MEDIUM] CWE-79 CVE-2023-45206: An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. Through the help docume An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. Through the help document endpoint in webmail, an attacker can inject JavaScript or HTML code that leads to cross-site scripting (XSS). (Adding an adequate message to avoid malicious code will mitigate this issue.)
nvd
Zimbra Collaboration vulnerabilities | cvebase