CVE-2020-10194
MEDIUMZimbra zm-mailbox < 8.8.15.p8 - Authenticated Missing Authorization in AutoCompleteGal
Title source: llmDescription
cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/Zimbra/zm-mailbox/compare/8.8.15.p7...8.8.15.p8
Patch, Third Party Advisory x_refsource_misc
https://github.com/Zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e
Patch, Third Party Advisory x_refsource_confirm
https://github.com/Zimbra/zm-mailbox/pull/1020
Scores
CVSS v3
6.5
EPSS
0.0121
EPSS Percentile
64.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-862
Status
published
Products (2)
zimbra/zm-mailbox
8.8.15 (8 CPE variants)
zimbra/zm-mailbox
< 8.8.15
Published
Mar 20, 2020
Tracked Since
Feb 18, 2026