VYPR

Vendor CVEs

Zimbra

All CVEs

139 total · sorted by risk
  • CVE-2016-9924CriMar 29, 2017
    risk 0.64cvss 9.8epss 0.03

    Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks.

  • CVE-2018-6882MedKEVMar 27, 2018
    risk 0.60cvss 6.1epss 0.24

    Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an…

  • CVE-2015-6541HigApr 8, 2016
    risk 0.60cvss 8.8epss 0.03

    Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface in Zimbra Collaboration Server (ZCS) before 8.5 allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences via a SOAP request to…

  • CVE-2025-54391CriSep 16, 2025
    risk 0.59cvss 9.1epss 0.01

    A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party…

  • CVE-2016-3415CriJan 18, 2017
    risk 0.59cvss 9.1epss 0.02

    Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.

  • CVE-2026-33373HigMar 30, 2026
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens…

  • CVE-2015-7610HigMay 30, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging…

  • CVE-2016-3403HigMay 17, 2017
    risk 0.57cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Patch 8 allow remote attackers to hijack the authentication of administrators for requests that (1) add, (2) modify, or (3) remove accounts by leveraging failure…

  • CVE-2016-3406HigJan 18, 2017
    risk 0.57cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and…

  • CVE-2025-53645HigJul 9, 2025
    risk 0.49cvss 7.5epss 0.01

    Zimbra Collaboration (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in the Admin Console. An unauthenticated remote attacker can send…

  • CVE-2016-4019HigJan 18, 2017
    risk 0.49cvss 7.5epss 0.02

    Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 104477.

  • CVE-2016-3413HigJan 18, 2017
    risk 0.49cvss 7.5epss 0.02

    Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 103996.

  • CVE-2016-3405HigJan 18, 2017
    risk 0.49cvss 7.5epss 0.02

    Multiple unspecified vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to affect integrity via unknown vectors, aka bugs 103961 and 104828.

  • CVE-2016-3404HigJan 18, 2017
    risk 0.49cvss 7.5epss 0.02

    Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 103959.

  • CVE-2016-3402HigJan 18, 2017
    risk 0.49cvss 7.5epss 0.02

    Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect confidentiality via unknown vectors, aka bug 99167.

  • CVE-2025-48700MedKEVJun 23, 2025
    risk 0.46cvss 6.1epss 0.02

    An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to…

  • CVE-2016-3411MedJan 18, 2017
    risk 0.43cvss 6.1epss 0.04

    Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 103609.

  • CVE-2018-10951MedMay 10, 2018
    risk 0.42cvss 6.5epss 0.01

    mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API.

  • CVE-2016-3414MedJan 18, 2017
    risk 0.42cvss 6.5epss 0.02

    Unspecified vulnerability in Zimbra Collaboration before 8.6.0 Patch 7 allows remote authenticated users to affect availability via unknown vectors, aka bug 102029.

  • CVE-2016-3401MedJan 18, 2017
    risk 0.42cvss 6.5epss 0.02

    Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote authenticated users to affect integrity via unknown vectors, aka bug 99810.

  • CVE-2025-54390MedSep 17, 2025
    risk 0.41cvss 6.3epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the ResetPasswordRequest operation of Zimbra Collaboration (ZCS) when the zimbraFeatureResetPasswordStatus attribute is enabled. An attacker can exploit this by tricking an authenticated user into visiting a malicious…

  • CVE-2026-33370MedMar 20, 2026
    risk 0.40cvss 6.1epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file…

  • CVE-2026-33368MedMar 20, 2026
    risk 0.40cvss 6.1epss 0.00

    Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious…

  • CVE-2018-10939MedMay 30, 2018
    risk 0.40cvss 6.1epss 0.01

    Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group.

  • CVE-2017-17703MedFeb 4, 2018
    risk 0.40cvss 6.1epss 0.01

    Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent XSS.

  • CVE-2016-3999MedJan 18, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 104552 and 104703.

  • CVE-2016-3412MedJan 18, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103997, 104413, 104414, 104777, and 104791.

  • CVE-2016-3410MedJan 18, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103956, 103995, 104475, 104838, and 104839.

  • CVE-2016-3409MedJan 18, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 102637.

  • CVE-2016-3408MedJan 18, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 101813.

  • CVE-2016-3407MedJan 18, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 104222, 104910, 105071, and 105175.

  • CVE-2016-5721MedAug 29, 2016
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2018-10950MedMay 10, 2018
    risk 0.35cvss 5.3epss 0.01

    mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure through Verbose Error Messages containing a stack dump, tracing data, or full user-context dump.

  • CVE-2018-10949MedMay 10, 2018
    risk 0.35cvss 5.3epss 0.02

    mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors.

  • CVE-2017-8783MedFeb 4, 2018
    risk 0.35cvss 5.4epss 0.01

    Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.

  • CVE-2018-17938MedOct 3, 2018
    risk 0.34cvss 5.3epss 0.01

    Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value.

  • CVE-2025-62763MedOct 21, 2025
    risk 0.33cvss 5.0epss 0.00

    Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy.

  • CVE-2022-37042KEVAug 11, 2022
    risk 0.29cvss epss 0.88

    Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal…

  • CVE-2022-27925KEVApr 20, 2022
    risk 0.29cvss epss 0.98

    Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

  • CVE-2026-33371MedMar 20, 2026
    risk 0.28cvss 4.3epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is…

  • CVE-2026-33369MedMar 20, 2026
    risk 0.28cvss 4.3epss 0.00

    Zimbra Collaboration (ZCS) 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOAP service within a FolderAction operation. The application fails to properly sanitize user-supplied input before incorporating it into an LDAP search filter. An authenticated…

  • CVE-2022-27924KEVApr 20, 2022
    risk 0.25cvss epss 0.85

    Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.

  • CVE-2022-24682KEVFeb 9, 2022
    risk 0.25cvss epss 0.31

    An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes…

  • CVE-2022-41352KEVSep 26, 2022
    risk 0.23cvss epss 0.95

    An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends…

  • CVE-2019-9670KEVMay 29, 2019
    risk 0.23cvss epss 1.00

    mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

  • CVE-2019-9621KEVApr 30, 2019
    risk 0.23cvss epss 0.81

    Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.

  • CVE-2024-45519KEVOct 2, 2024
    risk 0.20cvss epss 1.00

    The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

  • CVE-2023-37580KEVJul 31, 2023
    risk 0.20cvss epss 0.59

    Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.

  • CVE-2022-27926KEVApr 20, 2022
    risk 0.20cvss epss 0.17

    A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

  • CVE-2023-34192KEVJul 6, 2023
    risk 0.19cvss epss 0.77

    Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Page 1 of 3