Zimbra Collaboration Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Zimbra Collaboration Server.
By the Year
In 2026 there have been 0 vulnerabilities in Zimbra Collaboration Server. Collaboration Server did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 3 | 6.50 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 7.20 |
| 2021 | 0 | 0.00 |
| 2020 | 5 | 0.00 |
| 2019 | 1 | 7.50 |
It may take a day or so for new Collaboration Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Zimbra Collaboration Server Security Vulnerabilities
Zimbra Collab LFI via /h/rest (9.0/10.0/10.1)
CVE-2024-54663
- December 19, 2024
An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths.
Zimbra Collab 10.1 XSS via Briefcase Folder Share
CVE-2024-45512
- November 21, 2024
An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim's session.
Zimbra Collaboration Server 8.8.15/9.0 Account Closure Bypass via IMAP/SMTP
CVE-2023-26562
6.5 - Medium
- February 13, 2024
In Zimbra Collaboration (ZCS) 8.8.15 and 9.0, a closed account (with 2FA and generated passwords) can send e-mail messages when configured for Imap/smtp.
AuthZ
ZCS 8.8.15/9.0 RCE via ClientUploader Auth Admin
CVE-2022-45912
7.2 - High
- December 05, 2022
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. Remote code execution can occur through ClientUploader by an authenticated admin user. An authenticated admin user can upload files through the ClientUploader utility, and traverse to any other directory for remote code execution.
Unrestricted File Upload
Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS.
CVE-2019-8945
- January 27, 2020
Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS.
Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS.
CVE-2019-8946
- January 27, 2020
Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS.
Zimbra Collaboration 8.7.x - 8.8.11P2 contains non-persistent XSS.
CVE-2019-8947
- January 27, 2020
Zimbra Collaboration 8.7.x - 8.8.11P2 contains non-persistent XSS.
Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS
CVE-2019-12427
- January 27, 2020
Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS via the Admin Console.
In Zimbra Collaboration before 8.8.15 Patch 1
CVE-2019-15313
- January 27, 2020
In Zimbra Collaboration before 8.8.15 Patch 1, there is a non-persistent XSS vulnerability.
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3
CVE-2019-9621
7.5 - High
- April 30, 2019
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
SSRF
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Zimbra Collaboration Server or by Zimbra? Click the Watch button to subscribe.
