CVE-2013-7091
EXPLOITED NUCLEIZimbra 7.2.2-8.0.2 - Path Traversal
Title source: llmDescription
Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubywebappslinux
https://www.exploit-db.com/exploits/30472
exploitdb
WORKING POC
VERIFIED
by rubina119 · textwebappslinux
https://www.exploit-db.com/exploits/30085
metasploit
WORKING POC
EXCELLENT
by rubina119 · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/zimbra_lfi.rb
Nuclei Templates (1)
Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
MEDIUMby rubina119
Shodan:
http.title:"zimbra collaboration suite" || http.title:"zimbra web client sign in"
FOFA:
title="zimbra web client sign in" || title="zimbra collaboration suite"
References (6)
Scores
EPSS
0.9241
EPSS Percentile
99.7%
Details
VulnCheck KEV
2023-11-13
CWE
CWE-22
Status
published
Products (16)
synacor/zimbra_collaboration_suite
6.0.0
synacor/zimbra_collaboration_suite
6.0.1
synacor/zimbra_collaboration_suite
6.0.2
synacor/zimbra_collaboration_suite
6.0.3
synacor/zimbra_collaboration_suite
6.0.4
synacor/zimbra_collaboration_suite
6.0.5
synacor/zimbra_collaboration_suite
6.0.6
synacor/zimbra_collaboration_suite
6.0.7
synacor/zimbra_collaboration_suite
6.0.8
synacor/zimbra_collaboration_suite
6.0.9
... and 6 more
Published
Dec 13, 2013
Tracked Since
Feb 18, 2026