Skip to main content

Synacor Zimbra Collaboration Suite CVE-2019-9670

CRITICAL
Improper Restriction of XML External Entity Reference (CWE-611)
2019-05-29 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Added to CISA KEV
Nov 04, 2025 - 16:46 cisa
CISA KEV
PoC Detected
Nov 04, 2025 - 16:46 vuln.today
Public exploit code
Patch released
Nov 04, 2025 - 16:46 nvd
Patch available
CVE Published
May 29, 2019 - 22:29 nvd
CRITICAL 9.8

DescriptionCVE.org

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

AnalysisAI

Synacor Zimbra Collaboration Suite 8.7.x contains an XML External Entity (XXE) injection vulnerability in the Autodiscover endpoint that allows unauthenticated attackers to read files and achieve server-side request forgery.

Technical ContextAI

The CWE-611 XXE injection in Zimbra's Autodiscover/Autodiscover.xml endpoint accepts XML input without disabling external entity processing. Attackers inject XXE payloads to read local files (including Zimbra's localconfig.xml containing database credentials) and perform SSRF to access internal services.

Affected ProductsAI

Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10

RemediationAI

Update Zimbra to 8.7.11p10+. Disable external XML entity processing. Rotate all database credentials. Audit for unauthorized admin accounts and email access.

Share

CVE-2019-9670 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy