CVE-2022-26562

Name of the Vulnerable Software and Affected Versions Kopano Core versions 11.0.2.51 and earlier Zarafa Collaboration Platform versions 6.30 through 6.30.8

Description The issue allows attackers to authenticate even if the user account or password is expired. This is due to a problem in the provider/libserver/ECKrbAuth.cpp file of Kopano Core and the provider/libserver/ECPamAuth.cpp file of Zarafa Collaboration Platform.

Recommendations For Kopano Core versions 11.0.2.51 and earlier, update to a version later than 11.0.2.51 to resolve the issue. For Zarafa Collaboration Platform versions 6.30 through 6.30.8, consider disabling the authentication mechanism in ECPamAuth.cpp until a patch is available. As a temporary workaround, restrict access to the affected authentication module to minimize the risk of exploitation.