CVE-2018-20160
CRITICALSynacor Zimbra Collaboration Suite 8.7-8.8 - XML External Entity Injection via ZxChat Mailboxd Request
Title source: llmDescription
ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Release Notes, Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Security_Center
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.zimbra.com/show_bug.cgi?id=109093
Scores
CVSS v3
9.8
EPSS
0.0223
EPSS Percentile
80.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (5)
synacor/zimbra_collaboration_suite
8.7.11 (10 CPE variants)
synacor/zimbra_collaboration_suite
8.8.9 (8 CPE variants)
synacor/zimbra_collaboration_suite
8.8.10 (4 CPE variants)
synacor/zimbra_collaboration_suite
8.8.11
synacor/zimbra_collaboration_suite
8.7.0 - 8.7.11
Published
May 29, 2019
Tracked Since
Feb 18, 2026