CVE-2022-37043

Published: Aug 12, 2022Modified: Nov 21, 2024

5.7

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.1 / Impact: 3.6

Source: NVD

Description

An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds.

Affected (2)

Products: Zimbra: Collaboration

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Zimbra Collaboration	Version 8.8.15
Zimbra Collaboration	Version 9.0.0

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://wiki.zimbra.com/wiki/Security_Center

Source: cve@mitre.org

PatchVendor Advisory

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Source: cve@mitre.org

Vendor Advisory

https://wiki.zimbra.com/wiki/Security_Center

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.