According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities including:

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition     product of Oracle Java SE (component: Libraries). Supported versions that     are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle     GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable     vulnerability allows unauthenticated attacker with network access via     multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition. Successful attacks of this vulnerability can result in unauthorized     access to critical data or complete access to all Oracle Java SE, Oracle     GraalVM Enterprise Edition accessible data. Note: This vulnerability applies     to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code     (e.g., code that comes from the internet) and rely on the Java sandbox for     security. This vulnerability can also be exploited by using APIs in the     specified Component, e.g., through a web service which supplies data to the     APIs. (CVE-2022-21476)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition     product of Oracle Java SE (component: Libraries). Supported versions that     are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise     Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to     compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful     attacks of this vulnerability can result in unauthorized creation, deletion     or modification access to critical data or all Oracle Java SE, Oracle     GraalVM Enterprise Edition accessible data. Note: This vulnerability applies     to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code     (e.g., code that comes from the internet) and rely on the Java sandbox for     security. This vulnerability can also be exploited by using APIs in the     specified Component, e.g., through a web service which supplies data to the     APIs. (CVE-2022-21449)

  -	Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition     product of Oracle Java SE (component: JSSE). Supported versions that are     affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle     GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via TLS     to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful     attacks of this vulnerability can result in unauthorized creation, deletion     or modification access to critical data or all Oracle Java SE, Oracle     GraalVM Enterprise Edition accessible data as well as unauthorized access to     critical data or complete access to all Oracle Java SE, Oracle GraalVM     Enterprise Edition accessible data. Note: This vulnerability applies to Java     deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code     (e.g., code that comes from the internet) and rely on the Java sandbox for     security. This vulnerability can also be exploited by using APIs in the     specified Component, e.g., through a web service which supplies data to the     APIs. (CVE-2023-21930)

  -	An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0.
    XSS, with resultant session stealing, can occur via JavaScript code in a     link (for a webmail redirection endpoint) within en email message, e.g., if     a victim clicks on that link within Zimbra webmail. (CVE-2023-48432)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 45, 9.x < 9.0.0 Patch 38, 10.0.x < 10.0.6 Multiple Vulnerabilities

high Nessus Plugin ID 192099

Version 1.2

Version 1.1

Version 1.1

Version 1.0

Version 1.2 Mar 15, 2024, 3:57 PM IAVM reference STIG Severity (set to "I") Plugin Feed: 202403151557
Version 1.1 Mar 14, 2024, 3:54 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" set to "Exploits are available") Plugin Feed: 202403141554
Version 1.1 Mar 15, 2024, 1:33 PM IAVM reference STIG Severity (set to "I") Plugin Feed: 202403151333
Version 1.0 Mar 14, 2024, 10:59 AM New Plugin Feed: 202403141059