CVE-2024-45518

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration (ZCS) versions 10.1.x through 10.1.0 Zimbra Collaboration (ZCS) versions 10.0.x through 10.0.8 Zimbra Collaboration (ZCS) 9.0.0 before Patch 41 Zimbra Collaboration (ZCS) 8.8.15 before Patch 46

Description An issue in Zimbra Collaboration allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This permits unauthorized HTTP requests to be sent to internal services, potentially leading to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE).

Recommendations For Zimbra Collaboration (ZCS) versions 10.1.x through 10.1.0, update to version 10.1.1 or later. For Zimbra Collaboration (ZCS) versions 10.0.x through 10.0.8, update to version 10.0.9 or later. For Zimbra Collaboration (ZCS) 9.0.0, apply Patch 41 or later. For Zimbra Collaboration (ZCS) 8.8.15, apply Patch 46 or later.