CVE-2022-37043

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite (ZCS) versions 8.8.15 through 9.0

Description An issue in the webmail component of Zimbra Collaboration Suite allows for a request to be sent to the application without a CSRF token when an authenticated user views an attacker-controlled page, and the request still succeeds due to the omission of CSRF token checks on some POST endpoints.

Recommendations For versions 8.8.15 and 9.0, consider temporarily disabling the preauth feature until a patch is available to prevent exploitation of this issue. Restrict access to the webmail component to minimize the risk of exploitation. Avoid using the affected POST endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.