Zimbra Collaboration Server 8.7.x < 8.7.11p10 XML External Entity injection (XXE) vulnerability

High Nessus Plugin ID 127133


The remote web server contains a web application that is affected by an XXE vulnerability.


Mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.

Note that Nessus does not identify patch level or components versions for the Synacor Zimbra Collaboration Suite.
You will need to verify if the patch has been applied by executing the command 'zmcontrol -v' from the command line as the 'zimbra' user.


Upgrade to version 7.7.11p10 or later.

See Also




Plugin Details

Severity: High

ID: 127133

File Name: zimbra_8_7_11p10.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 2019/08/12

Updated: 2019/09/24

Dependencies: 72584

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2019-9670

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:zimbra:collaboration_suite

Required KB Items: www/zimbra_zcs, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2019/05/28

Vulnerability Publication Date: 2019/05/29

Exploitable With

Metasploit (Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF)

Reference Information

CVE: CVE-2019-9670

EDB-ID: 46693

IAVA: 2019-A-0276