Zm Build
by Zimbra
Source repositories
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-6882 | Med | 0.60 | 6.1 | 0.24 | KEV | Mar 27, 2018 | Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an… | |
| CVE-2015-7610 | Hig | 0.57 | 8.8 | 0.01 | May 30, 2018 | Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging… | ||
| CVE-2018-10951 | Med | 0.42 | 6.5 | 0.01 | May 10, 2018 | mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API. | ||
| CVE-2018-10939 | Med | 0.40 | 6.1 | 0.01 | May 30, 2018 | Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. | ||
| CVE-2017-17703 | Med | 0.40 | 6.1 | 0.01 | Feb 4, 2018 | Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent XSS. | ||
| CVE-2018-10950 | Med | 0.35 | 5.3 | 0.01 | May 10, 2018 | mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure through Verbose Error Messages containing a stack dump, tracing data, or full user-context dump. | ||
| CVE-2018-10949 | Med | 0.35 | 5.3 | 0.02 | May 10, 2018 | mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors. | ||
| CVE-2017-8783 | Med | 0.35 | 5.4 | 0.01 | Feb 4, 2018 | Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS. | ||
| CVE-2018-17938 | Med | 0.34 | 5.3 | 0.01 | Oct 3, 2018 | Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value. | ||
| CVE-2019-9621 | 0.23 | — | 0.81 | KEV | Apr 30, 2019 | Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component. | ||
| CVE-2025-68645 | 0.16 | — | 0.32 | KEV | Dec 22, 2025 | A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the… | ||
| CVE-2025-66376 | 0.13 | — | 0.12 | KEV | Jan 5, 2026 | Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message. | ||
| CVE-2025-67809 | 0.00 | — | 0.00 | Dec 15, 2025 | An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party… |
- risk 0.60cvss 6.1epss 0.24
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an…
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging…
- risk 0.42cvss 6.5epss 0.01
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API.
- risk 0.40cvss 6.1epss 0.01
Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group.
- risk 0.40cvss 6.1epss 0.01
Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent XSS.
- risk 0.35cvss 5.3epss 0.01
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure through Verbose Error Messages containing a stack dump, tracing data, or full user-context dump.
- risk 0.35cvss 5.3epss 0.02
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors.
- risk 0.35cvss 5.4epss 0.01
Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.
- risk 0.34cvss 5.3epss 0.01
Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value.
- risk 0.23cvss —epss 0.81
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
- risk 0.16cvss —epss 0.32
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the…
- risk 0.13cvss —epss 0.12
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
- CVE-2025-67809Dec 15, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party…