According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities including:

 - Fixed a security vulnerability in the postjournal service which may allow    unauthenticated users to execute commands. (CVE-2024-45519)

 - A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized    access to internal services has been addressed. (CVE-2024-45518)

  - A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has     been fixed. (CVE-2024-45517)

  - A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the     Zimbra Classic UI has been fixed. (CVE-2024-45516)

  - A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized     `packages` parameter has been resolved. (CVE-2024-45514)

  - A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the     Zimbra Classic UI has been fixed. (TBD)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Zimbra Collaboration Server 8.0.0 < 8.8.15 Patch 46, 9.0.0 < 9.0.0 Patch 41, 10.0 < 10.0.9, 10.1.0 < 10.1.1 Multiple Vulnerabilities

critical Nessus Plugin ID 208035

Version 1.5