Show filters
4 Total Results
Displaying 1-4 of 4
Sort by:
Attacker Value
Very High
CVE-2022-27925
Disclosure Date: April 21, 2022 (last updated October 07, 2023)
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
5
Attacker Value
Very High
CVE-2022-37042
Disclosure Date: August 12, 2022 (last updated October 08, 2023)
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
4
Attacker Value
Very High
CVE-2022-37393
Disclosure Date: August 16, 2022 (last updated October 08, 2023)
Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.
3
Attacker Value
Very High
CVE-2022-27924
Last updated August 16, 2022
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.
3