CVE-2020-12846

Name of the Vulnerable Software and Affected Versions Zimbra versions prior to 8.8.15 Patch 10 Zimbra versions 9.x prior to 9.0.0 Patch 3

Description The issue allows remote code execution via an avatar file, potentially abusing the /service/upload servlet in the webmail subsystem. A user can upload executable files, such as exe, sh, bat, or jar, in the Contact section of the mailbox as an avatar image for a contact. Although the user receives a "Corrupt File" error, the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.

Recommendations For Zimbra versions prior to 8.8.15 Patch 10, update to version 8.8.15 Patch 10 or later. For Zimbra versions 9.x prior to 9.0.0 Patch 3, update to version 9.0.0 Patch 3 or later. As a temporary workaround, consider restricting access to the /service/upload servlet to minimize the risk of exploitation.