Webapp
by Zarafa
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-25443 | Hig | 0.53 | 8.2 | 0.00 | Feb 22, 2026 | Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to… | ||
| CVE-2019-25234 | Med | 0.34 | 5.3 | 0.00 | Dec 24, 2025 | SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or… | ||
| CVE-2019-7219 | 0.01 | — | 0.05 | Apr 11, 2019 | Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa Webapp 2.0.1.47791 and earlier. NOTE: this is a discontinued product. The issue was fixed in later Zarafa Webapp versions; however, some former Zarafa Webapp customers use the related Kopano product instead. | |||
| CVE-2014-9465 | 0.00 | — | 0.03 | Feb 19, 2015 | senddocument.php in Zarafa WebApp before 2.0 beta 3 and WebAccess in Zarafa Collaboration Platform (ZCP) 7.x before 7.1.12 beta 1 and 7.2.x before 7.2.0 beta 1 allows remote attackers to cause a denial of service (/tmp disk consumption) by uploading a large number of files. | |||
| CVE-2014-5449 | 0.00 | — | 0.00 | Oct 20, 2014 | Zarafa WebAccess 4.1 and WebApp uses world-readable permissions for the files in their tmp directory, which allows local users to obtain sensitive information by reading temporary session data. | |||
| CVE-2014-5447 | 0.00 | — | 0.00 | Oct 20, 2014 | Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644) for config.php, which allows local users to obtain sensitive information by reading the PHP session files. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0103. | |||
| CVE-2014-0103 | 0.00 | — | 0.00 | Jul 29, 2014 | WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files. |
- risk 0.53cvss 8.2epss 0.00
Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to…
- risk 0.34cvss 5.3epss 0.00
SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or…
- CVE-2019-7219Apr 11, 2019risk 0.01cvss —epss 0.05
Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa Webapp 2.0.1.47791 and earlier. NOTE: this is a discontinued product. The issue was fixed in later Zarafa Webapp versions; however, some former Zarafa Webapp customers use the related Kopano product instead.
- CVE-2014-9465Feb 19, 2015risk 0.00cvss —epss 0.03
senddocument.php in Zarafa WebApp before 2.0 beta 3 and WebAccess in Zarafa Collaboration Platform (ZCP) 7.x before 7.1.12 beta 1 and 7.2.x before 7.2.0 beta 1 allows remote attackers to cause a denial of service (/tmp disk consumption) by uploading a large number of files.
- CVE-2014-5449Oct 20, 2014risk 0.00cvss —epss 0.00
Zarafa WebAccess 4.1 and WebApp uses world-readable permissions for the files in their tmp directory, which allows local users to obtain sensitive information by reading temporary session data.
- CVE-2014-5447Oct 20, 2014risk 0.00cvss —epss 0.00
Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644) for config.php, which allows local users to obtain sensitive information by reading the PHP session files. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0103.
- CVE-2014-0103Jul 29, 2014risk 0.00cvss —epss 0.00
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.