Filtered by vendor Synacor
                        
                        Subscribe
                        
                        
                    
                    
                
                    Total
                    70 CVE
                
            | CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 | 
|---|---|---|---|---|---|
| CVE-2022-27925 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-10-22 | 6.5 MEDIUM | 7.2 HIGH | 
| Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. | |||||
| CVE-2019-9670 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL | 
| mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml. | |||||
| CVE-2019-9621 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-10-22 | 5.0 MEDIUM | 7.5 HIGH | 
| Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component. | |||||
| CVE-2018-6882 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-10-22 | 4.3 MEDIUM | 6.1 MEDIUM | 
| Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment. | |||||
| CVE-2018-10951 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-08-15 | 4.0 MEDIUM | 6.5 MEDIUM | 
| mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API. | |||||
| CVE-2025-48700 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-07-11 | N/A | 6.1 MEDIUM | 
| An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction. | |||||
| CVE-2024-50599 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-17 | N/A | 6.1 MEDIUM | 
| A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Zimbra Collaboration Suite (ZCS) 8.8.15, affecting one of the webmail calendar endpoints. This arises from improper handling of user-supplied input, allowing an attacker to inject malicious code that is reflected back in the HTML response. | |||||
| CVE-2024-45516 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 6.1 MEDIUM | 
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction. | |||||
| CVE-2025-32354 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 8.8 HIGH | 
| In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website. | |||||
| CVE-2025-25065 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.3 MEDIUM | 
| SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints. | |||||
| CVE-2025-25064 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 8.8 HIGH | 
| SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata. | |||||
| CVE-2024-54663 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 7.5 HIGH | 
| An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths. | |||||
| CVE-2024-45517 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM | 
| An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL. | |||||
| CVE-2024-45513 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 4.8 MEDIUM | 
| An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser when a crafted vCard (VCF) file is processed and printed. This could lead to unauthorized actions within the victim's session. | |||||
| CVE-2024-45514 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM | 
| An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing the injection and execution of arbitrary JavaScript within a victim's session. | |||||
| CVE-2024-45512 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM | 
| An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim's session. | |||||
| CVE-2024-45511 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM | 
| An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A reflected Cross-Site Scripting (XSS) issue exists through the Briefcase module due to improper sanitization of file content by the OnlyOffice formatter. This occurs when the victim opens a crafted URL pointing to a shared folder containing a malicious file uploaded by the attacker. The vulnerability allows the attacker to execute arbitrary JavaScript in the context of the victim's session. | |||||
| CVE-2024-45510 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM | 
| An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper sanitization of user input. This allows an attacker to inject malicious code into specific fields of an e-mail message. When the victim adds the attacker to their contacts, the malicious code is stored and executed when viewing the contact list. This can lead to unauthorized actions such as arbitrary mail sending, mailbox exfiltration, profile picture alteration, and other malicious actions. Proper sanitization and escaping of input fields are necessary to mitigate this vulnerability. | |||||
| CVE-2024-45194 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 4.8 MEDIUM | 
| In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.) | |||||
| CVE-2022-3569 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-05-13 | N/A | 7.8 HIGH | 
| Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'. | |||||
