Synacor
Products by Synacor Sorted by Most Security Vulnerabilities since 2018
Known Exploited Synacor Vulnerabilities
The following Synacor vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference | Improper Restriction of XML External Entity Reference vulnerability affecting Synacor Zimbra Collaboration Suite. CVE-2019-9670 | January 10, 2022 |
By the Year
In 2024 there have been 0 vulnerabilities in Synacor . Synacor did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 7.80 |
| 2021 | 2 | 6.10 |
| 2020 | 5 | 6.92 |
| 2019 | 9 | 7.14 |
| 2018 | 7 | 6.20 |
It may take a day or so for new Synacor vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Synacor Security Vulnerabilities
Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers
CVE-2022-3569
7.8 - High
- October 17, 2022
Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'.
A reflected cross-site scripting (XSS) vulnerability in the zimbraAdmin/public/secureRequest.jsp component of Zimbra Collaboration 8.8.12
CVE-2020-18984
6.1 - Medium
- December 15, 2021
A reflected cross-site scripting (XSS) vulnerability in the zimbraAdmin/public/secureRequest.jsp component of Zimbra Collaboration 8.8.12 allows unauthenticated attackers to execute arbitrary web scripts or HTML via a host header injection.
XSS
An issue in /domain/service/.ewell-known/caldav of Zimbra Collaboration 8.8.12
CVE-2020-18985
6.1 - Medium
- December 15, 2021
An issue in /domain/service/.ewell-known/caldav of Zimbra Collaboration 8.8.12 allows attackers to redirect users to any arbitrary website of their choosing.
Open Redirect
An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11
CVE-2020-13653
6.1 - Medium
- July 02, 2020
An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11. It allows an attacker to inject executable JavaScript into the account name of a user's profile. The injected code can be reflected and executed when changing an e-mail signature.
XSS
Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file
CVE-2020-12846
8 - High
- June 03, 2020
Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.
Unrestricted File Upload
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7
CVE-2020-7796
9.8 - Critical
- February 18, 2020
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
XSPA
An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7
CVE-2020-8633
5.3 - Medium
- February 18, 2020
An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7. When grantors revoked a shared calendar in Outlook, the calendar stayed mounted and accessible.
Improper Preservation of Permissions
Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS.
CVE-2019-11318
5.4 - Medium
- January 27, 2020
Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS.
XSS
Synacor Zimbra Admin UI in Zimbra Collaboration Suite before 8.8.0 beta 2 has Persistent XSS
CVE-2018-10948
4.8 - Medium
- May 30, 2019
Synacor Zimbra Admin UI in Zimbra Collaboration Suite before 8.8.0 beta 2 has Persistent XSS via mail addrs.
XSS
There is a Persistent XSS vulnerability in the briefcase component of Synacor Zimbra Collaboration Suite (ZCS) Zimbra Web Client (ZWC) 8.8.8 before 8.8.8 Patch 7 and 8.8.9 before 8.8.9 Patch 1.
CVE-2018-14425
6.1 - Medium
- May 30, 2019
There is a Persistent XSS vulnerability in the briefcase component of Synacor Zimbra Collaboration Suite (ZCS) Zimbra Web Client (ZWC) 8.8.8 before 8.8.8 Patch 7 and 8.8.9 before 8.8.9 Patch 1.
XSS
An issue was discovered in Synacor Zimbra Collaboration Suite 8.6.x before 8.6.0 Patch 11
CVE-2018-15131
5.3 - Medium
- May 30, 2019
An issue was discovered in Synacor Zimbra Collaboration Suite 8.6.x before 8.6.0 Patch 11, 8.7.x before 8.7.11 Patch 6, 8.8.x before 8.8.8 Patch 9, and 8.8.9 before 8.8.9 Patch 3. Account number enumeration is possible via inconsistent responses for specific types of authentication requests.
Information Disclosure
mailboxd component in Synacor Zimbra Collaboration Suite 8.6
CVE-2018-18631
6.1 - Medium
- May 29, 2019
mailboxd component in Synacor Zimbra Collaboration Suite 8.6, 8.7 before 8.7.11 Patch 7, and 8.8 before 8.8.10 Patch 2 has Persistent XSS.
XSS
Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.
CVE-2018-14013
6.1 - Medium
- May 29, 2019
Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.
XSS
ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products
CVE-2018-20160
9.8 - Critical
- May 29, 2019
ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.
XXE
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability
CVE-2019-9670
9.8 - Critical
- May 29, 2019
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.
XXE
Zimbra Collaboration Suite 8.7.x through 8.8.11
CVE-2019-6981
6.5 - Medium
- May 29, 2019
Zimbra Collaboration Suite 8.7.x through 8.8.11 allows Blind SSRF in the Feed component.
XSPA
Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11
CVE-2019-6980
9.8 - Critical
- May 29, 2019
Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component.
Marshaling, Unmarshaling
Zimbra Collaboration before 8.8.10 GA
CVE-2018-17938
5.3 - Medium
- October 03, 2018
Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value.
Insufficient Verification of Data Authenticity
Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1
CVE-2015-7610
8.8 - High
- May 30, 2018
Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token.
Session Riding
Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS
CVE-2018-10939
6.1 - Medium
- May 30, 2018
Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group.
XSS