CVE-2018-15131

MEDIUM

Synacor Zimbra Collaboration Suite <8.6.0-8.8.9 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-15131. PoCs published by 0x00-0x00.

AI-analyzed exploit summary This PoC exploits CVE-2018-15131, a user enumeration vulnerability in Zimbra Collaboration. It checks for valid usernames by sending HTTP requests with Basic Authentication headers and analyzing the response for 'WWW-Authenticate' headers.

Description

An issue was discovered in Synacor Zimbra Collaboration Suite 8.6.x before 8.6.0 Patch 11, 8.7.x before 8.7.11 Patch 6, 8.8.x before 8.8.8 Patch 9, and 8.8.9 before 8.8.9 Patch 3. Account number enumeration is possible via inconsistent responses for specific types of authentication requests.

Exploits (1)

nomisec WORKING POC 1 stars

by 0x00-0x00 · poc

https://github.com/0x00-0x00/CVE-2018-15131

View Code ZIP pw:eip

This PoC exploits CVE-2018-15131, a user enumeration vulnerability in Zimbra Collaboration. It checks for valid usernames by sending HTTP requests with Basic Authentication headers and analyzing the response for 'WWW-Authenticate' headers.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Zimbra Collaboration

No auth needed

Prerequisites: A list of usernames to test · Network access to the Zimbra Collaboration server

MITRE ATT&CK

T1589 - Gather Victim Identity Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Exploit, Issue Tracking, Third Party Advisory x_refsource_misc

https://bugzilla.zimbra.com/show_bug.cgi?id=109012

Scores

CVSS v3 5.3

EPSS 0.0186

EPSS Percentile 76.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (5)

synacor/zimbra_collaboration_suite 8.6.0 (10 CPE variants)

synacor/zimbra_collaboration_suite 8.7.11 (6 CPE variants)

synacor/zimbra_collaboration_suite 8.8.8 (8 CPE variants)

synacor/zimbra_collaboration_suite 8.8.9 (3 CPE variants)

synacor/zimbra_collaboration_suite 8.7.0 - 8.7.11

Published May 30, 2019

Tracked Since Feb 18, 2026