An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory.
References
Link | Resource |
---|---|
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes | Release Notes |
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes | Release Notes |
Configurations
Configuration 1 (hide)
|
History
14 Aug 2024, 13:18
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:zimbra:collaboration:9.0.0:p27:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p14:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p21:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p19:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p12:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p1:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p10:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p3:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p16:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p11:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p5:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p9:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p30:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p38:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p34:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p20:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p35:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p4:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p2:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p36:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p7:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p31:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p24:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p15:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p0:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p25:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p13:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p33:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p8:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p6:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p32:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p37:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p39:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p23:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:9.0.0:p26:*:*:*:*:*:* |
13 Aug 2024, 17:20
Type | Values Removed | Values Added |
---|---|---|
First Time |
Zimbra collaboration
Zimbra |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
References | () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes - Release Notes | |
References | () https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes - Release Notes | |
CWE | CWE-22 | |
Summary |
|
|
CPE | cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:* cpe:2.3:a:zimbra:collaboration:10.0.0:*:*:*:*:*:*:* |
12 Aug 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-12 15:15
Updated : 2024-08-14 13:18
NVD link : CVE-2024-33535
Mitre link : CVE-2024-33535
CVE.ORG link : CVE-2024-33535
JSON object : View
Products Affected
zimbra
- collaboration
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')