Description
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
CVSS breakdown
CVSS 3.1
Attack Complexity
Low
Attack Vector
Network
Availability
High
Confidentiality
High
Integrity
High
Privileges Required
None
Scope
Changed
User Interaction
None
Exploits & PoCs
- nucleiZimbra Collaboration Suite < 9.0.0 - Remote Code Executionby pdresearch,iamnoooob,parthmalhotra,ice3man543
References
- MISChttps://wiki.zimbra.com/wiki/Security_Center
- MISChttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
- MISChttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes
- MISChttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes
- MISChttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes
- MISChttps://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes