CVE-2020-12846 - Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avata

CVE-2020-12846

Summary

Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.

References

Vulnerable Configurations

cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.4:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.4:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.5:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.5:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.6:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.6:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.10:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.10:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.12:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.12:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.13:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.13:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.14:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.14:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.15:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.15:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.16:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.16:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:7.2.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:7.2.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.1:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.1:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.2:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.2:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.3:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.3:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.4:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.4:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.5:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.5:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.6:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.6:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.8:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.8:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.9:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.0.9:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.5.1:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.5.1:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.6.0:patch9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.0:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.1:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.1:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.2:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.2:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.3:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.3:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.4:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.4:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.5:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.5:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.6:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.6:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.8:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.8:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.9:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.9:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.10:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.10:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p11:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p11:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p12:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p12:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p13:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p13:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch11:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch11:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:patch9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.0:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.0:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.0:beta1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.0:beta1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.2:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.2:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.3:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.3:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.4:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.4:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.5:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.5:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.6:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.7:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:p9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.8:patch9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:p8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch10:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.9:patch8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p11:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p11:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:p8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.10:patch8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:p5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:p5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:patch2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:patch3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.11:patch4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.12:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*

CVSS

Base:	6.0 (as of 05-06-2020 - 14:39)
Impact:
Exploitability:

CWE

CWE-434

CAPEC

Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:S/C:P/I:P/A:P

refmap via4

confirm	https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3
misc	https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Last major update

05-06-2020 - 14:39

Published

03-06-2020 - 17:15

Last modified

05-06-2020 - 14:39