CVE-2022-37042

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite (ZCS) versions 8.8.15 through 9.0

Description The mboximport functionality in Zimbra Collaboration Suite (ZCS) has an authentication bypass issue, allowing an attacker to upload arbitrary files to the system without an authtoken. This can lead to directory traversal and remote code execution. The issue is due to an incomplete fix for a previous vulnerability.

Recommendations For Zimbra Collaboration Suite (ZCS) versions 8.8.15 through 9.0, consider disabling the mboximport functionality until a patch is available to prevent exploitation. Restrict access to the mboximport module to minimize the risk of remote code execution. Avoid using the mboximport functionality in production environments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.