VYPR
Vendor

Zarafa

Products
4
CVEs
15
Across products
21
Status
Private

Products

4

Recent CVEs

15
  • CVE-2015-6566HigJan 11, 2016
    risk 0.55cvss 8.4epss 0.00

    zarafa-autorespond in Zarafa Collaboration Platform (ZCP) before 7.2.1 allows local users to gain privileges via a symlink attack on /tmp/zarafa-vacation-*.

  • CVE-2019-25443HigFeb 22, 2026
    risk 0.53cvss 8.2epss 0.00

    Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to…

  • CVE-2014-5450MedMar 19, 2018
    risk 0.36cvss 5.5epss 0.00

    Zarafa Collaboration Platform 4.1 uses world-readable permissions for /etc/zarafa/license, which allows local users to obtain sensitive information by reading license files.

  • CVE-2019-25234MedDec 24, 2025
    risk 0.34cvss 5.3epss 0.00

    SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or…

  • CVE-2019-7219Apr 11, 2019
    risk 0.01cvss epss 0.05

    Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa Webapp 2.0.1.47791 and earlier. NOTE: this is a discontinued product. The issue was fixed in later Zarafa Webapp versions; however, some former Zarafa Webapp customers use the related Kopano product instead.

  • CVE-2022-26562Apr 1, 2022
    risk 0.00cvss epss 0.02

    An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired. It also exists in the predecessor Zarafa Collaboration Platform (ZCP) in…

  • CVE-2021-28994Mar 31, 2021
    risk 0.00cvss epss 0.02

    kopano-ical (formerly zarafa-ical) in Kopano Groupware Core through 8.7.16, 9.x through 9.1.0, 10.x through 10.0.7, and 11.x through 11.0.1 and Zarafa 6.30.x through 7.2.x allows memory exhaustion via long HTTP headers.

  • CVE-2015-3436Jun 9, 2015
    risk 0.00cvss epss 0.00

    provider/server/ECServer.cpp in Zarafa Collaboration Platform (ZCP) before 7.1.13 and 7.2.x before 7.2.1 allows local users to write to arbitrary files via a symlink attack on /tmp/zarafa-upgrade-lock.

  • CVE-2014-9465Feb 19, 2015
    risk 0.00cvss epss 0.03

    senddocument.php in Zarafa WebApp before 2.0 beta 3 and WebAccess in Zarafa Collaboration Platform (ZCP) 7.x before 7.1.12 beta 1 and 7.2.x before 7.2.0 beta 1 allows remote attackers to cause a denial of service (/tmp disk consumption) by uploading a large number of files.

  • CVE-2014-5449Oct 20, 2014
    risk 0.00cvss epss 0.00

    Zarafa WebAccess 4.1 and WebApp uses world-readable permissions for the files in their tmp directory, which allows local users to obtain sensitive information by reading temporary session data.

  • CVE-2014-5448Oct 20, 2014
    risk 0.00cvss epss 0.00

    Zarafa 5.00 uses world-readable permissions for the files in the log directory, which allows local users to obtain sensitive information by reading the log files.

  • CVE-2014-5447Oct 20, 2014
    risk 0.00cvss epss 0.00

    Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644) for config.php, which allows local users to obtain sensitive information by reading the PHP session files. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0103.

  • CVE-2014-0103Jul 29, 2014
    risk 0.00cvss epss 0.00

    WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

  • CVE-2014-0079Apr 28, 2014
    risk 0.00cvss epss 0.02

    The ValidateUserLogon function in provider/libserver/ECSession.cpp in Zarafa 7.1.8, 6.20.0, and earlier, when using certain build conditions, allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the password."

  • CVE-2014-0037Apr 28, 2014
    risk 0.00cvss epss 0.02

    The ValidateUserLogon function in provider/libserver/ECSession.cpp in Zarafa 5.00 before 7.1.8 beta2 allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the username."