Skip to main content

Collaboration CVE-2020-35123

MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2020-12-17 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 17, 2020 - 04:15 nvd
MEDIUM 6.5

DescriptionNVD

In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17.

AnalysisAI

In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17. Affected products include: Zimbra Collaboration.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Disable external entity processing in XML parsers, use JSON instead of XML where possible.

CVE-2022-37393 HIGH POC
7.8 Aug 16

Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. Rat

CVE-2021-35209 CRITICAL POC
9.8 Jul 02

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch

CVE-2022-41347 HIGH POC
7.8 Sep 26

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). Rated high severity (CVSS 7.8), this

CVE-2024-27443 MEDIUM POC
6.1 Aug 12

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. Rated medium severity (CVSS 6.1), this vulnerability

CVE-2023-29382 CRITICAL
9.8 Jul 06

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preaut

CVE-2023-29381 CRITICAL
9.8 Jul 06

An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sen

CVE-2022-32294 CRITICAL
9.8 Jul 11

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove

CVE-2021-35208 MEDIUM POC
5.4 Jul 02

An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before

CVE-2024-45518 HIGH
8.8 Oct 22

An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41,

CVE-2023-34193 HIGH
8.8 Jul 06

File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obt

CVE-2024-27442 HIGH
7.8 Aug 12

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-24032 HIGH
7.8 Jun 15

In Zimbra Collaboration Suite through 9.0 and 8.8.15, an attacker (who has initial user access to a Zimbra server instan

Share

CVE-2020-35123 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy