Skip to main content

Collaboration CVE-2022-37043

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2022-08-12 cve@mitre.org
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 12, 2022 - 15:15 nvd
MEDIUM 5.7

DescriptionNVD

An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds.

AnalysisAI

An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds. Affected products include: Zimbra Collaboration.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2022-37393 HIGH POC
7.8 Aug 16

Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. Rat

CVE-2021-35209 CRITICAL POC
9.8 Jul 02

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch

CVE-2022-41347 HIGH POC
7.8 Sep 26

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). Rated high severity (CVSS 7.8), this

CVE-2024-27443 MEDIUM POC
6.1 Aug 12

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. Rated medium severity (CVSS 6.1), this vulnerability

CVE-2023-29382 CRITICAL
9.8 Jul 06

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preaut

CVE-2023-29381 CRITICAL
9.8 Jul 06

An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sen

CVE-2022-32294 CRITICAL
9.8 Jul 11

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove

CVE-2021-35208 MEDIUM POC
5.4 Jul 02

An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before

CVE-2024-45518 HIGH
8.8 Oct 22

An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41,

CVE-2023-34193 HIGH
8.8 Jul 06

File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obt

CVE-2024-27442 HIGH
7.8 Aug 12

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-24032 HIGH
7.8 Jun 15

In Zimbra Collaboration Suite through 9.0 and 8.8.15, an attacker (who has initial user access to a Zimbra server instan

Share

CVE-2022-37043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy