Zimbra Collaboration disclosed three new security vulnerabilities. These flaws, impact Zimbra Collaboration versions 9.0 and 10.0, potentially exposing users to cross-site scripting (XSS) and local file inclusion (LFI) attacks.
The first vulnerability tracked as CVE-2024-33533. This vulnerability resides in the Zimbra webmail admin interface, stemming from inadequate input validation of the ‘packages’ parameter. A successful exploit could enable an authenticated attacker to inject and execute malicious JavaScript code within the context of another user’s browser session.
The second vulnerability tracked as CVE-2024-33535. This vulnerability pertains to unauthenticated local file inclusion within a web application, specifically linked to the handling of the ‘packages’ parameter. An attacker could leverage this vulnerability to include arbitrary local files without authentication, potentially granting unauthorized access to sensitive information within a defined directory.
The third vulnerability tracked as CVE-2024-33536. This vulnerability also involves reflected XSS, arising from insufficient input validation of the ‘res’ parameter. Like CVE-2024-33533, a successful exploit could allow an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user’s browser session.
Organizations utilizing Zimbra Collaboration are strongly urged to apply the latest security patches without delay.
