CVE-2024-45516 (GCVE-0-2024-45516)
Vulnerability from cvelistv5
Published
2025-05-14 00:00
Modified
2025-05-19 14:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.
References
| ► | URL | Tags | |
|---|---|---|---|
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:24:53.673415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:25:22.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed \u003cimg\u003e tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T15:26:34.067Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
},
{
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
},
{
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-45516",
"datePublished": "2025-05-14T00:00:00.000Z",
"dateReserved": "2024-09-01T00:00:00.000Z",
"dateUpdated": "2025-05-19T14:25:22.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45516\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-05-14T20:15:20.857\",\"lastModified\":\"2025-06-11T21:20:29.063\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed \u003cimg\u003e tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0.0 (anterior al parche 43), 10.0.x (anterior a la versi\u00f3n 10.0.12), 10.1.x (anterior a la versi\u00f3n 10.1.4) y 8.8.15 (anterior al parche 47). Una vulnerabilidad de Cross-Site Scripting (XSS) en la interfaz cl\u00e1sica de Zimbra permite a los atacantes ejecutar JavaScript arbitrario en la sesi\u00f3n de la v\u00edctima, lo que podr\u00eda provocar acceso no autorizado a informaci\u00f3n confidencial. Este problema se debe a una limpieza insuficiente del contenido HTML, incluyendo etiquetas malformadas con JavaScript incrustado. La vulnerabilidad se activa cuando la v\u00edctima visualiza un correo electr\u00f3nico especialmente manipulado en la interfaz cl\u00e1sica, lo que provoca la ejecuci\u00f3n del script malicioso. No se requiere ninguna otra interacci\u00f3n del usuario m\u00e1s all\u00e1 de visualizar el correo electr\u00f3nico.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.0.12\",\"matchCriteriaId\":\"E603BD7A-730E-410C-BBE1-3E5A8DD2A72F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.1.0\",\"versionEndExcluding\":\"10.1.4\",\"matchCriteriaId\":\"55361360-9F77-4731-82AD-82E65E4C5AA0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E39A855-C0EB-4448-AE96-177757C40C66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FFE7BE6E-7A9A-40C7-B236-7A21103E9F41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5924FFC-BA19-48B3-BF4D-0C2DB3FCD407\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*\",\"matchCriteriaId\":\"7822D273-C2CB-4EFE-B929-3D34C65E005E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*\",\"matchCriteriaId\":\"F81528E8-FE3A-4C48-A747-34A3FF28BCAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*\",\"matchCriteriaId\":\"D772D4BA-9ED6-492C-A0D3-0AF4F3D49037\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2A468FE-B59B-4CE9-B9B2-C836EEAFA3E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*\",\"matchCriteriaId\":\"04BECDE0-F082-49FB-ACA2-5C808902AA17\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*\",\"matchCriteriaId\":\"56558FD4-4391-4199-BA6B-B53F5DC30144\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*\",\"matchCriteriaId\":\"69A530D3-B84E-427B-BC92-64BBFEF331BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C0DCE7F-85A4-44C6-88C8-380B0BBBFA7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*\",\"matchCriteriaId\":\"180AF8B6-55AE-460C-B613-37FB697B5325\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FCB5528-70FD-4525-A78B-D5537609331A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*\",\"matchCriteriaId\":\"34B07279-A26A-4EB1-8B33-885AD854018B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*\",\"matchCriteriaId\":\"97402ADA-AB05-4A92-920D-EA5363424FDF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*\",\"matchCriteriaId\":\"697A1D34-FF0C-4F9E-8E91-34404A366D70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*\",\"matchCriteriaId\":\"9030D096-87A1-4AFF-BB7C-CE71990005B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*\",\"matchCriteriaId\":\"F211A8B1-E33E-49BE-9C18-31B1902EB4FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*\",\"matchCriteriaId\":\"4152CEA2-9DC1-4567-BAB3-9C36F74F77EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BC02B35-7FC4-41AB-8D2E-2CD1896D84C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*\",\"matchCriteriaId\":\"0294CB8B-B0AF-4A5C-B6B2-33F5BFFFBD4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*\",\"matchCriteriaId\":\"968A75B4-6D23-4B83-A8B5-777D8F151E04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E11BC24-56A3-4CAB-B0B2-D2430CD80767\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF2EE32D-04A5-46EA-92F0-3C8D74A4B82A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*\",\"matchCriteriaId\":\"50FB0099-0495-4735-9398-7F7E657F459B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31:*:*:*:*:*:*\",\"matchCriteriaId\":\"FAE2858A-6D9E-4D79-AFA6-69C44D6D8C75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31.1:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C1D9EB8-E3FE-4BF3-8517-603BA4B126C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p32:*:*:*:*:*:*\",\"matchCriteriaId\":\"50A296BC-6DA4-41B2-923A-0633566AD6C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p33:*:*:*:*:*:*\",\"matchCriteriaId\":\"C066ED38-1175-48FB-BE05-BE0C19E9EBE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p34:*:*:*:*:*:*\",\"matchCriteriaId\":\"89B3EF32-B474-44DB-AE30-CD308CDC5A77\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p35:*:*:*:*:*:*\",\"matchCriteriaId\":\"A9ECCB00-F3F4-4EB7-9FD0-4CB64678B129\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p36:*:*:*:*:*:*\",\"matchCriteriaId\":\"37739F7A-490F-42A8-B97D-D09A3EDB85DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p37:*:*:*:*:*:*\",\"matchCriteriaId\":\"518662DA-C0F3-4875-86D7-5ED2B2496CC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p38:*:*:*:*:*:*\",\"matchCriteriaId\":\"64B28BE5-F35D-4AB0-A321-CEAE21BC26FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p39:*:*:*:*:*:*\",\"matchCriteriaId\":\"9DFBABD6-70F2-4E3B-A9C0-82DE76D48542\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB3C28CA-4C22-423E-B1C7-CBAFBB91F4DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p40:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D2D6DBD-560A-4F8E-B2CC-67A564C460A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p41:*:*:*:*:*:*\",\"matchCriteriaId\":\"BFBC20F8-7F50-4D9D-8442-3397DED4B18B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p42:*:*:*:*:*:*\",\"matchCriteriaId\":\"D175FCA2-F902-4470-BFF6-5EC2F31BB06D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p43:*:*:*:*:*:*\",\"matchCriteriaId\":\"5516ED19-5648-4BC8-A9C2-6EE41B1794C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p44:*:*:*:*:*:*\",\"matchCriteriaId\":\"28D5F229-EE33-42C4-A26D-23BC760720A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p45:*:*:*:*:*:*\",\"matchCriteriaId\":\"A00BE897-F462-4193-BF51-4381B04C076B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p46:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D93DABB-4E8B-4DB4-BCD5-D495933D0223\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"A9A1314A-20C8-42D7-9387-D914999EEAF6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"CEF091C5-8DC6-4A41-9E84-F53BE703F71B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*\",\"matchCriteriaId\":\"ACD65C28-9716-4073-8613-C4AF12684760\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*\",\"matchCriteriaId\":\"2C58AFFF-848F-490D-A95C-03A267C2DC98\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*\",\"matchCriteriaId\":\"B62DC188-89A8-4AEA-90AE-563F0BBEFC54\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"32AFCE22-5ADA-4FF7-A165-5EC12B325DEF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3577FE6-F1F4-4555-8D27-84D6DE731EA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*\",\"matchCriteriaId\":\"931BD98E-1A5F-4634-945B-BDD7D2FAA8B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E7C0A57-A887-4D29-B601-4275313F46B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*\",\"matchCriteriaId\":\"B7248B91-D136-4DD5-A631-737E4C220A02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*\",\"matchCriteriaId\":\"494F6FD4-36ED-4E40-8336-7F077FA80FA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*\",\"matchCriteriaId\":\"9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0648498-2EE5-4B68-8360-ED5914285356\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*\",\"matchCriteriaId\":\"24282FF8-548B-415B-95CA-1EFD404D21D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*\",\"matchCriteriaId\":\"ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*\",\"matchCriteriaId\":\"019AFC34-289E-4A01-B08B-A5807F7F909A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7E7B3976-DA6F-4285-93E6-2328006F7F4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*\",\"matchCriteriaId\":\"062E586F-0E02-45A6-93AD-895048FC2D4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*\",\"matchCriteriaId\":\"3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADF51BCA-37DD-4642-B201-74A6D1A545FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*\",\"matchCriteriaId\":\"39611F3D-A898-4C35-8915-3334CDFB78E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*\",\"matchCriteriaId\":\"40AB56B7-7222-4C44-A271-45DFE3673F72\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AE8F501-4528-4F15-AE50-D4F11FB462DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB9E054B-7790-4E74-A771-40BF6EC71610\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*\",\"matchCriteriaId\":\"DD924E57-C77B-430B-A615-537BB39CEA9C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*\",\"matchCriteriaId\":\"F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*\",\"matchCriteriaId\":\"7991F602-41D7-4377-B888-D66A467EAD67\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*\",\"matchCriteriaId\":\"2193FCA2-1AE3-497D-B0ED-5B89727410E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA310AFA-492D-4A6C-A7F6-740E82CB6E57\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF95618B-0BFB-403C-83BE-C97879FC866D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*\",\"matchCriteriaId\":\"A82346A9-9CC2-4B91-BA2F-A815AAA92A7F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E800348-E139-418D-910B-7B3A9E1E721C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7DE1A7E-573B-42F3-B0A4-D2E676954FE0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*\",\"matchCriteriaId\":\"E60BC1D0-8552-4E6B-B2C5-96038448C238\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*\",\"matchCriteriaId\":\"3924251E-13B0-420E-8080-D3312C3D54AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*\",\"matchCriteriaId\":\"AEBE75F9-A494-4C78-927A-EA564BDCCE0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*\",\"matchCriteriaId\":\"900BECBA-7FDB-4E35-9603-29706FB87BD2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*\",\"matchCriteriaId\":\"5024FD58-A3ED-43B1-83EF-F4570C2573BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CC9D046-4EB4-4608-8AB7-B60AC330A770\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AF337B5-B296-449B-8848-7636EC7C46C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*\",\"matchCriteriaId\":\"A4535EC5-74D5-41E8-95F1-5C033ADB043E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p41:*:*:*:*:*:*\",\"matchCriteriaId\":\"408E1BFD-16AA-458C-B040-04870522FEBD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p42:*:*:*:*:*:*\",\"matchCriteriaId\":\"205B2CDC-6423-4FD9-9FD0-847ADEB64003\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"52232ACA-C158-48C8-A0DB-7689040CB8FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B4D0040-86D0-46C3-8A9A-3DD12138B9ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2BB9BC7-078D-4E08-88E4-9432D74CA9BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*\",\"matchCriteriaId\":\"F04D4B77-D386-4BC8-8169-9846693F6F11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*\",\"matchCriteriaId\":\"992370FA-F171-4FB3-9C1C-58AC37038CE4\"}]}]}],\"references\":[{\"url\":\"https://wiki.zimbra.com/wiki/Security_Center\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45516\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-19T14:24:53.673415Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-19T14:25:14.260Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\"}, {\"url\": \"https://wiki.zimbra.com/wiki/Security_Center\"}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy\"}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed \u003cimg\u003e tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-05-15T15:26:34.067Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45516\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-19T14:25:22.301Z\", \"dateReserved\": \"2024-09-01T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-05-14T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
fkie_cve-2024-45516
Vulnerability from fkie_nvd
Published
2025-05-14 20:15
Modified
2025-06-11 21:20
Severity ?
Summary
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E603BD7A-730E-410C-BBE1-3E5A8DD2A72F",
"versionEndExcluding": "10.0.12",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55361360-9F77-4731-82AD-82E65E4C5AA0",
"versionEndExcluding": "10.1.4",
"versionStartIncluding": "10.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*",
"matchCriteriaId": "9E39A855-C0EB-4448-AE96-177757C40C66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*",
"matchCriteriaId": "FFE7BE6E-7A9A-40C7-B236-7A21103E9F41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*",
"matchCriteriaId": "B5924FFC-BA19-48B3-BF4D-0C2DB3FCD407",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*",
"matchCriteriaId": "7822D273-C2CB-4EFE-B929-3D34C65E005E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*",
"matchCriteriaId": "F81528E8-FE3A-4C48-A747-34A3FF28BCAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*",
"matchCriteriaId": "D772D4BA-9ED6-492C-A0D3-0AF4F3D49037",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*",
"matchCriteriaId": "C2A468FE-B59B-4CE9-B9B2-C836EEAFA3E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*",
"matchCriteriaId": "04BECDE0-F082-49FB-ACA2-5C808902AA17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*",
"matchCriteriaId": "56558FD4-4391-4199-BA6B-B53F5DC30144",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*",
"matchCriteriaId": "69A530D3-B84E-427B-BC92-64BBFEF331BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*",
"matchCriteriaId": "3C0DCE7F-85A4-44C6-88C8-380B0BBBFA7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*",
"matchCriteriaId": "180AF8B6-55AE-460C-B613-37FB697B5325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*",
"matchCriteriaId": "6FCB5528-70FD-4525-A78B-D5537609331A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*",
"matchCriteriaId": "34B07279-A26A-4EB1-8B33-885AD854018B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*",
"matchCriteriaId": "97402ADA-AB05-4A92-920D-EA5363424FDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*",
"matchCriteriaId": "697A1D34-FF0C-4F9E-8E91-34404A366D70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*",
"matchCriteriaId": "9030D096-87A1-4AFF-BB7C-CE71990005B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*",
"matchCriteriaId": "F211A8B1-E33E-49BE-9C18-31B1902EB4FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*",
"matchCriteriaId": "4152CEA2-9DC1-4567-BAB3-9C36F74F77EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*",
"matchCriteriaId": "9BC02B35-7FC4-41AB-8D2E-2CD1896D84C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*",
"matchCriteriaId": "0294CB8B-B0AF-4A5C-B6B2-33F5BFFFBD4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*",
"matchCriteriaId": "968A75B4-6D23-4B83-A8B5-777D8F151E04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*",
"matchCriteriaId": "5E11BC24-56A3-4CAB-B0B2-D2430CD80767",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*",
"matchCriteriaId": "EF2EE32D-04A5-46EA-92F0-3C8D74A4B82A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*",
"matchCriteriaId": "50FB0099-0495-4735-9398-7F7E657F459B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31:*:*:*:*:*:*",
"matchCriteriaId": "FAE2858A-6D9E-4D79-AFA6-69C44D6D8C75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31.1:*:*:*:*:*:*",
"matchCriteriaId": "5C1D9EB8-E3FE-4BF3-8517-603BA4B126C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p32:*:*:*:*:*:*",
"matchCriteriaId": "50A296BC-6DA4-41B2-923A-0633566AD6C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p33:*:*:*:*:*:*",
"matchCriteriaId": "C066ED38-1175-48FB-BE05-BE0C19E9EBE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p34:*:*:*:*:*:*",
"matchCriteriaId": "89B3EF32-B474-44DB-AE30-CD308CDC5A77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p35:*:*:*:*:*:*",
"matchCriteriaId": "A9ECCB00-F3F4-4EB7-9FD0-4CB64678B129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p36:*:*:*:*:*:*",
"matchCriteriaId": "37739F7A-490F-42A8-B97D-D09A3EDB85DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p37:*:*:*:*:*:*",
"matchCriteriaId": "518662DA-C0F3-4875-86D7-5ED2B2496CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p38:*:*:*:*:*:*",
"matchCriteriaId": "64B28BE5-F35D-4AB0-A321-CEAE21BC26FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p39:*:*:*:*:*:*",
"matchCriteriaId": "9DFBABD6-70F2-4E3B-A9C0-82DE76D48542",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*",
"matchCriteriaId": "BB3C28CA-4C22-423E-B1C7-CBAFBB91F4DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p40:*:*:*:*:*:*",
"matchCriteriaId": "0D2D6DBD-560A-4F8E-B2CC-67A564C460A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p41:*:*:*:*:*:*",
"matchCriteriaId": "BFBC20F8-7F50-4D9D-8442-3397DED4B18B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p42:*:*:*:*:*:*",
"matchCriteriaId": "D175FCA2-F902-4470-BFF6-5EC2F31BB06D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p43:*:*:*:*:*:*",
"matchCriteriaId": "5516ED19-5648-4BC8-A9C2-6EE41B1794C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p44:*:*:*:*:*:*",
"matchCriteriaId": "28D5F229-EE33-42C4-A26D-23BC760720A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p45:*:*:*:*:*:*",
"matchCriteriaId": "A00BE897-F462-4193-BF51-4381B04C076B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p46:*:*:*:*:*:*",
"matchCriteriaId": "8D93DABB-4E8B-4DB4-BCD5-D495933D0223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*",
"matchCriteriaId": "A9A1314A-20C8-42D7-9387-D914999EEAF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*",
"matchCriteriaId": "CEF091C5-8DC6-4A41-9E84-F53BE703F71B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*",
"matchCriteriaId": "ACD65C28-9716-4073-8613-C4AF12684760",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*",
"matchCriteriaId": "2C58AFFF-848F-490D-A95C-03A267C2DC98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*",
"matchCriteriaId": "B62DC188-89A8-4AEA-90AE-563F0BBEFC54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "32AFCE22-5ADA-4FF7-A165-5EC12B325DEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "D3577FE6-F1F4-4555-8D27-84D6DE731EA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*",
"matchCriteriaId": "931BD98E-1A5F-4634-945B-BDD7D2FAA8B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*",
"matchCriteriaId": "2E7C0A57-A887-4D29-B601-4275313F46B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*",
"matchCriteriaId": "B7248B91-D136-4DD5-A631-737E4C220A02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*",
"matchCriteriaId": "494F6FD4-36ED-4E40-8336-7F077FA80FA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*",
"matchCriteriaId": "9DF8C0CE-A71D-4BB1-83FB-1EA5ED77E0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*",
"matchCriteriaId": "E0648498-2EE5-4B68-8360-ED5914285356",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*",
"matchCriteriaId": "24282FF8-548B-415B-95CA-1EFD404D21D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*",
"matchCriteriaId": "ACFDF2D9-ED72-4969-AA3B-E8D48CB1922D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*",
"matchCriteriaId": "2B7D0A8B-7A72-4C1A-85F2-BE336CA47E0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*",
"matchCriteriaId": "019AFC34-289E-4A01-B08B-A5807F7F909A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*",
"matchCriteriaId": "7E7B3976-DA6F-4285-93E6-2328006F7F4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*",
"matchCriteriaId": "062E586F-0E02-45A6-93AD-895048FC2D4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*",
"matchCriteriaId": "3EE37BEE-4BDB-4E62-8DE3-98CF74DFBE01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*",
"matchCriteriaId": "ADF51BCA-37DD-4642-B201-74A6D1A545FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*",
"matchCriteriaId": "39611F3D-A898-4C35-8915-3334CDFB78E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*",
"matchCriteriaId": "40AB56B7-7222-4C44-A271-45DFE3673F72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*",
"matchCriteriaId": "2AE8F501-4528-4F15-AE50-D4F11FB462DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*",
"matchCriteriaId": "AB9E054B-7790-4E74-A771-40BF6EC71610",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:*:*:*:*:*:*",
"matchCriteriaId": "DD924E57-C77B-430B-A615-537BB39CEA9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:*:*:*:*:*:*",
"matchCriteriaId": "F43F4AC0-7C82-4CF4-B0C7-3A4C567BC985",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:*:*:*:*:*:*",
"matchCriteriaId": "7991F602-41D7-4377-B888-D66A467EAD67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:*:*:*:*:*:*",
"matchCriteriaId": "2193FCA2-1AE3-497D-B0ED-5B89727410E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:*:*:*:*:*:*",
"matchCriteriaId": "FA310AFA-492D-4A6C-A7F6-740E82CB6E57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:*:*:*:*:*:*",
"matchCriteriaId": "FF95618B-0BFB-403C-83BE-C97879FC866D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:*:*:*:*:*:*",
"matchCriteriaId": "A82346A9-9CC2-4B91-BA2F-A815AAA92A7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:*:*:*:*:*:*",
"matchCriteriaId": "2E800348-E139-418D-910B-7B3A9E1E721C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:*:*:*:*:*:*",
"matchCriteriaId": "C7DE1A7E-573B-42F3-B0A4-D2E676954FE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:*:*:*:*:*:*",
"matchCriteriaId": "E60BC1D0-8552-4E6B-B2C5-96038448C238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:*:*:*:*:*:*",
"matchCriteriaId": "3924251E-13B0-420E-8080-D3312C3D54AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:*:*:*:*:*:*",
"matchCriteriaId": "AEBE75F9-A494-4C78-927A-EA564BDCCE0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:*:*:*:*:*:*",
"matchCriteriaId": "900BECBA-7FDB-4E35-9603-29706FB87BD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:*:*:*:*:*:*",
"matchCriteriaId": "5024FD58-A3ED-43B1-83EF-F4570C2573BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:*:*:*:*:*:*",
"matchCriteriaId": "3CC9D046-4EB4-4608-8AB7-B60AC330A770",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "2AF337B5-B296-449B-8848-7636EC7C46C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:*:*:*:*:*:*",
"matchCriteriaId": "A4535EC5-74D5-41E8-95F1-5C033ADB043E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p41:*:*:*:*:*:*",
"matchCriteriaId": "408E1BFD-16AA-458C-B040-04870522FEBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p42:*:*:*:*:*:*",
"matchCriteriaId": "205B2CDC-6423-4FD9-9FD0-847ADEB64003",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:*:*:*:*:*:*",
"matchCriteriaId": "52232ACA-C158-48C8-A0DB-7689040CB8FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:*:*:*:*:*:*",
"matchCriteriaId": "3B4D0040-86D0-46C3-8A9A-3DD12138B9ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "D2BB9BC7-078D-4E08-88E4-9432D74CA9BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:*:*:*:*:*:*",
"matchCriteriaId": "F04D4B77-D386-4BC8-8169-9846693F6F11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9:*:*:*:*:*:*",
"matchCriteriaId": "992370FA-F171-4FB3-9C1C-58AC37038CE4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed \u003cimg\u003e tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 9.0.0 (anterior al parche 43), 10.0.x (anterior a la versi\u00f3n 10.0.12), 10.1.x (anterior a la versi\u00f3n 10.1.4) y 8.8.15 (anterior al parche 47). Una vulnerabilidad de Cross-Site Scripting (XSS) en la interfaz cl\u00e1sica de Zimbra permite a los atacantes ejecutar JavaScript arbitrario en la sesi\u00f3n de la v\u00edctima, lo que podr\u00eda provocar acceso no autorizado a informaci\u00f3n confidencial. Este problema se debe a una limpieza insuficiente del contenido HTML, incluyendo etiquetas malformadas con JavaScript incrustado. La vulnerabilidad se activa cuando la v\u00edctima visualiza un correo electr\u00f3nico especialmente manipulado en la interfaz cl\u00e1sica, lo que provoca la ejecuci\u00f3n del script malicioso. No se requiere ninguna otra interacci\u00f3n del usuario m\u00e1s all\u00e1 de visualizar el correo electr\u00f3nico."
}
],
"id": "CVE-2024-45516",
"lastModified": "2025-06-11T21:20:29.063",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-14T20:15:20.857",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
ncsc-2024-0386
Vulnerability from csaf_ncscnl
Published
2024-10-02 07:02
Modified
2024-10-10 12:50
Summary
Kwetsbaarheden verholpen in Zimbra
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Synacor heeft kwetsbaarheden verholpen in Zimbra Collaboration.
Interpretaties
Door middel van het versturen van een speciaal geprepareerde e-mail naar de SMTP server kan direct code executie worden verkregen op de Zimbra server die bijvoorbeeld gebruikt kan worden om een webshell te plaatsen.
Onderzoekers hebben Proof-of-Concept-code gepubliceerd, waarmee de kwetsbaarheid met kenmerk CVE-2024-45519 kan worden aangetoond. Er is een exploit beschikbaar en er zijn signalen van actief misbruik.
Oplossingen
UPDATE: Het NCSC heeft op Github een tool beschikbaar gesteld die gebruikt kan worden om een eventuele webshell die middels deze kwetsbaarheid is geplaatst te detecteren.
Synacor heeft updates uitgebracht om de kwetsbaarheden te verhelpen.
Zie bijgevoegde referenties voor meer informatie en de link naar de scantool op Github.
Kans
high
Schade
high
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Synacor heeft kwetsbaarheden verholpen in Zimbra Collaboration.",
"title": "Feiten"
},
{
"category": "description",
"text": "Door middel van het versturen van een speciaal geprepareerde e-mail naar de SMTP server kan direct code executie worden verkregen op de Zimbra server die bijvoorbeeld gebruikt kan worden om een webshell te plaatsen.\n\nOnderzoekers hebben Proof-of-Concept-code gepubliceerd, waarmee de kwetsbaarheid met kenmerk CVE-2024-45519 kan worden aangetoond. Er is een exploit beschikbaar en er zijn signalen van actief misbruik.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "UPDATE: Het NCSC heeft op Github een tool beschikbaar gesteld die gebruikt kan worden om een eventuele webshell die middels deze kwetsbaarheid is geplaatst te detecteren.\n\nSynacor heeft updates uitgebracht om de kwetsbaarheden te verhelpen.\n\nZie bijgevoegde referenties voor meer informatie en de link naar de scantool op Github.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "high",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference - cisagov; cveprojectv5; nvd",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
},
{
"category": "external",
"summary": "Reference - ncscclear",
"url": "https://github.com/NCSC-NL/zimbra-webshell-scan"
}
],
"title": "Kwetsbaarheden verholpen in Zimbra",
"tracking": {
"current_release_date": "2024-10-10T12:50:25.238470Z",
"id": "NCSC-2024-0386",
"initial_release_date": "2024-10-02T07:02:43.365395Z",
"revision_history": [
{
"date": "2024-10-02T07:02:43.365395Z",
"number": "0",
"summary": "Initiele versie"
},
{
"date": "2024-10-03T12:46:43.590587Z",
"number": "1",
"summary": "Dit beveiligingsadvies is naar High/High opgeschaald vanwege een beschikbare exploit en actief misbruik."
},
{
"date": "2024-10-10T12:50:25.238470Z",
"number": "2",
"summary": "Verwijzing naar NCSC detectie tool voor webshells toegevoegd."
}
],
"status": "final",
"version": "1.0.2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "zimbra_collaboration_server",
"product": {
"name": "zimbra_collaboration_server",
"product_id": "CSAFPID-1659643",
"product_identification_helper": {
"cpe": "cpe:2.3:a:synacor:zimbra_collaboration_server:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "zimbra_collaboration_suite",
"product": {
"name": "zimbra_collaboration_suite",
"product_id": "CSAFPID-240580",
"product_identification_helper": {
"cpe": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "synacor"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-38356",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38356",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38356.json"
}
],
"title": "CVE-2024-38356"
},
{
"cve": "CVE-2024-45194",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45194",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45194.json"
}
],
"title": "CVE-2024-45194"
},
{
"cve": "CVE-2024-45510",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45510",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45510.json"
}
],
"title": "CVE-2024-45510"
},
{
"cve": "CVE-2024-45511",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45511",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45511.json"
}
],
"title": "CVE-2024-45511"
},
{
"cve": "CVE-2024-45512",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45512",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45512.json"
}
],
"title": "CVE-2024-45512"
},
{
"cve": "CVE-2024-45513",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45513",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45513.json"
}
],
"title": "CVE-2024-45513"
},
{
"cve": "CVE-2024-45514",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45514",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45514.json"
}
],
"title": "CVE-2024-45514"
},
{
"cve": "CVE-2024-45515",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45515",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45515.json"
}
],
"title": "CVE-2024-45515"
},
{
"cve": "CVE-2024-45516",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45516",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45516.json"
}
],
"title": "CVE-2024-45516"
},
{
"cve": "CVE-2024-45517",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45517",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45517.json"
}
],
"title": "CVE-2024-45517"
},
{
"cve": "CVE-2024-45518",
"product_status": {
"known_affected": [
"CSAFPID-1659643"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45518",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45518.json"
}
],
"title": "CVE-2024-45518"
},
{
"cve": "CVE-2024-45519",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "other",
"text": "Improper Authentication",
"title": "CWE-287"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1659643",
"CSAFPID-240580"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45519",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45519.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N",
"version": "3.1"
},
"products": [
"CSAFPID-1659643",
"CSAFPID-240580"
]
}
],
"title": "CVE-2024-45519"
}
]
}
ncsc-2025-0038
Vulnerability from csaf_ncscnl
Published
2025-02-04 09:10
Modified
2025-02-04 09:10
Summary
Kwetsbaarheden verholpen in Zimbra Collaboration
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Zimbra heeft meerdere kwetsbaarheden verholpen in Zimbra Collaboration.
Interpretaties
De kwetsbaarheden omvatten een SQL-injectie in de ZimbraSyncService SOAP-endpoint en een SSRF-kwetsbaarheid in de RSS-feedparser, die ongeautoriseerde toegang en manipulatie van de database mogelijk maakten, evenals ongeoorloofde omleiding naar interne netwerkeindpunten. Deze kwetsbaarheden kunnne leiden tot ongeautoriseerde toegang tot gevoelige gegevens en stelden interne bronnen bloot aan risico's.
Oplossingen
Zimbra heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans
medium
Schade
high
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-918
Server-Side Request Forgery (SSRF)
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Zimbra heeft meerdere kwetsbaarheden verholpen in Zimbra Collaboration.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden omvatten een SQL-injectie in de ZimbraSyncService SOAP-endpoint en een SSRF-kwetsbaarheid in de RSS-feedparser, die ongeautoriseerde toegang en manipulatie van de database mogelijk maakten, evenals ongeoorloofde omleiding naar interne netwerkeindpunten. Deze kwetsbaarheden kunnne leiden tot ongeautoriseerde toegang tot gevoelige gegevens en stelden interne bronnen bloot aan risico\u0027s.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Zimbra heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference - cveprojectv5; nvd",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; nvd",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; nvd",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P43#Security_Fixes"
},
{
"category": "external",
"summary": "Reference - hkcert",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46"
}
],
"title": "Kwetsbaarheden verholpen in Zimbra Collaboration",
"tracking": {
"current_release_date": "2025-02-04T09:10:55.525420Z",
"id": "NCSC-2025-0038",
"initial_release_date": "2025-02-04T09:10:55.525420Z",
"revision_history": [
{
"date": "2025-02-04T09:10:55.525420Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "zimbra_collaboration_server",
"product": {
"name": "zimbra_collaboration_server",
"product_id": "CSAFPID-1659643",
"product_identification_helper": {
"cpe": "cpe:2.3:a:synacor:zimbra_collaboration_server:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "synacor"
},
{
"branches": [
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-583669",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757303",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.10:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757304",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.11:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661049",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.1:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661052",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.2:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661051",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.3:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661053",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.4:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661057",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.5:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661058",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.6:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661050",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.7:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661055",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.8:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757302",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.9:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757305",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.1.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757306",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.1.1:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757307",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.1.2:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757308",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.1.3:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "zimbra_collaboration",
"product": {
"name": "zimbra_collaboration",
"product_id": "CSAFPID-1731223",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:zimbra_collaboration:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "zimbra"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45516",
"product_status": {
"known_affected": [
"CSAFPID-1659643",
"CSAFPID-583669",
"CSAFPID-1757303",
"CSAFPID-1757304",
"CSAFPID-1661049",
"CSAFPID-1661052",
"CSAFPID-1661051",
"CSAFPID-1661053",
"CSAFPID-1661057",
"CSAFPID-1661058",
"CSAFPID-1661050",
"CSAFPID-1661055",
"CSAFPID-1757302",
"CSAFPID-1757305",
"CSAFPID-1757306",
"CSAFPID-1757307",
"CSAFPID-1757308",
"CSAFPID-1731223"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45516",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45516.json"
}
],
"title": "CVE-2024-45516"
},
{
"cve": "CVE-2025-25064",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1659643",
"CSAFPID-583669",
"CSAFPID-1757303",
"CSAFPID-1757304",
"CSAFPID-1661049",
"CSAFPID-1661052",
"CSAFPID-1661051",
"CSAFPID-1661053",
"CSAFPID-1661057",
"CSAFPID-1661058",
"CSAFPID-1661050",
"CSAFPID-1661055",
"CSAFPID-1757302",
"CSAFPID-1757305",
"CSAFPID-1757306",
"CSAFPID-1757307",
"CSAFPID-1757308",
"CSAFPID-1731223"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-25064",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-25064.json"
}
],
"title": "CVE-2025-25064"
},
{
"cve": "CVE-2025-25065",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1659643",
"CSAFPID-583669",
"CSAFPID-1757303",
"CSAFPID-1757304",
"CSAFPID-1661049",
"CSAFPID-1661052",
"CSAFPID-1661051",
"CSAFPID-1661053",
"CSAFPID-1661057",
"CSAFPID-1661058",
"CSAFPID-1661050",
"CSAFPID-1661055",
"CSAFPID-1757302",
"CSAFPID-1757305",
"CSAFPID-1757306",
"CSAFPID-1757307",
"CSAFPID-1757308",
"CSAFPID-1731223"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-25065",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-25065.json"
}
],
"title": "CVE-2025-25065"
}
]
}
ghsa-f89j-4hpj-5qjm
Vulnerability from github
Published
2025-05-14 21:31
Modified
2025-05-19 15:30
Severity ?
VLAI Severity ?
Details
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the victim's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed tags with embedded JavaScript. The vulnerability is triggered when the victim views a specially crafted email in the Classic UI, causing the malicious script to execute. No further user interaction is required beyond viewing the email.
{
"affected": [],
"aliases": [
"CVE-2024-45516"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-14T20:15:20Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the victim\u0027s session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed \u003cimg\u003e tags with embedded JavaScript. The vulnerability is triggered when the victim views a specially crafted email in the Classic UI, causing the malicious script to execute. No further user interaction is required beyond viewing the email.",
"id": "GHSA-f89j-4hpj-5qjm",
"modified": "2025-05-19T15:30:39Z",
"published": "2025-05-14T21:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45516"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…