VYPR

Vendor CVEs

Zimbra

All CVEs

139 total · sorted by risk
  • CVE-2020-7796KEVFeb 18, 2020
    risk 0.19cvss epss 0.85

    Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.

  • CVE-2025-68645KEVDec 22, 2025
    risk 0.16cvss epss 0.32

    A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the…

  • CVE-2017-20191LowMar 31, 2024
    risk 0.16cvss 3.5epss 0.00

    A vulnerability was found in Zimbra zm-admin-ajax up to 8.8.1. It has been classified as problematic. This affects the function XFormItem.prototype.setError of the file WebRoot/js/ajax/dwt/xforms/XFormItem.js of the component Form Textbox Field Error Handler. The manipulation of…

  • CVE-2024-27443KEVAug 12, 2024
    risk 0.15cvss epss 0.20

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An…

  • CVE-2025-27915KEVMar 12, 2025
    risk 0.14cvss epss 0.04

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a…

  • CVE-2025-66376KEVJan 5, 2026
    risk 0.13cvss epss 0.12

    Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

  • CVE-2013-7091Dec 13, 2013
    risk 0.10cvss epss 0.86

    Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute…

  • CVE-2025-25064Feb 3, 2025
    risk 0.04cvss epss 0.34

    SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a…

  • CVE-2022-3569Oct 17, 2022
    risk 0.03cvss epss 0.01

    Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'.

  • CVE-2012-1213Feb 24, 2012
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbra Web Client in Zimbra Collaboration Suite (ZCS) 6.x before 6.0.15 and 7.x before 7.1.3 allows remote attackers to inject arbitrary web script or HTML via the view parameter.

  • CVE-2024-50599Nov 7, 2024
    risk 0.02cvss epss 0.61

    A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Zimbra Collaboration Suite (ZCS) 8.8.15, affecting one of the webmail calendar endpoints. This arises from improper handling of user-supplied input, allowing an attacker to inject malicious code that is…

  • CVE-2024-45518Oct 22, 2024
    risk 0.02cvss epss 0.20

    An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured…

  • CVE-2025-67809Dec 15, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party…

  • CVE-2024-45515Jul 30, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by…

  • CVE-2024-45516May 14, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the…

  • CVE-2025-32354Apr 29, 2025
    risk 0.00cvss epss 0.00

    In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL…

  • CVE-2025-27914Mar 12, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. Exploitation…

  • CVE-2025-25065Feb 3, 2025
    risk 0.00cvss epss 0.01

    SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints.

  • CVE-2024-54663Dec 19, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot…

  • CVE-2024-9665Nov 22, 2024
    risk 0.00cvss epss 0.00

    Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must…

  • CVE-2024-45513Nov 21, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the…

  • CVE-2024-45512Nov 21, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share…

  • CVE-2024-45514Nov 21, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded…

  • CVE-2024-45194Nov 21, 2024
    risk 0.00cvss epss 0.00

    In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring…

  • CVE-2024-45517Nov 21, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused…

  • CVE-2024-45510Nov 20, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper sanitization of user input. This allows an attacker to inject malicious code into specific fields of an…

  • CVE-2024-45511Nov 20, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A reflected Cross-Site Scripting (XSS) issue exists through the Briefcase module due to improper sanitization of file content by the OnlyOffice formatter. This occurs when the victim opens a crafted URL pointing…

  • CVE-2024-33536Aug 12, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser…

  • CVE-2024-33535Aug 12, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary…

  • CVE-2024-33533Aug 12, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages…

  • CVE-2024-27442Aug 12, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user…

  • CVE-2023-45206Feb 13, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. Through the help document endpoint in webmail, an attacker can inject JavaScript or HTML code that leads to cross-site scripting (XSS). (Adding an adequate message to avoid malicious code will mitigate…

  • CVE-2023-48432Feb 13, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. XSS, with resultant session stealing, can occur via JavaScript code in a link (for a webmail redirection endpoint) within en email message, e.g., if a victim clicks on that link within Zimbra webmail.

  • CVE-2023-50808Feb 13, 2024
    risk 0.00cvss epss 0.00

    Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Modern UI.

  • CVE-2023-45207Feb 13, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. An attacker can send a PDF document through mail that contains malicious JavaScript. While previewing this file in webmail in the Chrome browser, the stored XSS payload is executed. (This has been…

  • CVE-2023-26562Feb 13, 2024
    risk 0.00cvss epss 0.01

    In Zimbra Collaboration (ZCS) 8.8.15 and 9.0, a closed account (with 2FA and generated passwords) can send e-mail messages when configured for Imap/smtp.

  • CVE-2017-20188Jan 2, 2024
    risk 0.00cvss epss 0.00

    A vulnerability has been found in Zimbra zm-ajax up to 8.8.1 and classified as problematic. Affected by this vulnerability is the function XFormItem.prototype.setError of the file WebRoot/js/ajax/dwt/xforms/XFormItem.js. The manipulation of the argument message leads to cross…

  • CVE-2023-43103Dec 7, 2023
    risk 0.00cvss epss 0.00

    An XSS issue was discovered in a web endpoint in Zimbra Collaboration (ZCS) before 10.0.4 via an unsanitized parameter. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36.

  • CVE-2023-43102Dec 7, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.4. An XSS issue can be exploited to access the mailbox of an authenticated user. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36.

  • CVE-2023-41106Dec 7, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.3. An attacker can gain access to a Zimbra account. This is also fixed in 9.0.0 Patch 35 and 8.8.15 Patch 42.

  • CVE-2023-38750Jul 31, 2023
    risk 0.00cvss epss 0.01

    In Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41, 9 before 9.0.0 Patch 34, and 10 before 10.0.2, internal JSP and XML files can be exposed.

  • CVE-2023-34193Jul 6, 2023
    risk 0.00cvss epss 0.01

    File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obtain sensitive information via the ClientUploader function.

  • CVE-2023-29382Jul 6, 2023
    risk 0.00cvss epss 0.01

    An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

  • CVE-2023-29381Jul 6, 2023
    risk 0.00cvss epss 0.01

    An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sensitive information via the password and 2FA parameters.

  • CVE-2023-24031Jun 15, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 8.8.15. XSS can occur, via one of attributes of the webmail /h/ endpoint, to execute arbitrary JavaScript code, leading to information disclosure.

  • CVE-2023-24030Jun 15, 2023
    risk 0.00cvss epss 0.00

    An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0 and 8.8.15. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker…

  • CVE-2023-24032Jun 15, 2023
    risk 0.00cvss epss 0.01

    In Zimbra Collaboration Suite through 9.0 and 8.8.15, an attacker (who has initial user access to a Zimbra server instance) can execute commands as root by passing one of JVM arguments, leading to local privilege escalation (LPE).

  • CVE-2022-45913Jan 6, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur via one of attributes in webmail URLs to execute arbitrary JavaScript code, leading to information disclosure.

  • CVE-2022-45911Jan 6, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur on the Classic UI login page by injecting arbitrary JavaScript code in the username field. This occurs before the user logs into the system, which means that even if the attacker executes arbitrary…

  • CVE-2022-45912Dec 5, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. Remote code execution can occur through ClientUploader by an authenticated admin user. An authenticated admin user can upload files through the ClientUploader utility, and traverse to any other directory for…