CVE-2013-7091

Name of the Vulnerable Software and Affected Versions Zimbra versions 7.2.2 through 8.0.2

Description A directory traversal issue exists, allowing remote attackers to read arbitrary files by using a .. (dot dot) in the skin parameter of the /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx TemplateMsg.js.zgz endpoint. This can potentially be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.

Recommendations For Zimbra versions 7.2.2 through 8.0.2, consider restricting access to the vulnerable endpoint /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx TemplateMsg.js.zgz to minimize the risk of exploitation. Additionally, limit the use of the skin parameter to prevent directory traversal attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.