CVE-2020-10194

Name of the Vulnerable Software and Affected Versions Zimbra zm-mailbox versions prior to 8.8.15.p8

Description The issue allows authenticated users to request any GAL account, differing from the intended behavior where the domain of the authenticated user must match the domain of the galsync account in the request. This is due to a problem in the cs/service/account/AutoCompleteGal.java file.

Recommendations For versions prior to 8.8.15.p8, update to version 8.8.15.p8 or later to resolve the issue. As a temporary workaround, consider restricting access to the GAL account request functionality to minimize the risk of exploitation.