CVE-2020-10194

MEDIUM

Zimbra zm-mailbox < 8.8.15.p8 - Authenticated Missing Authorization in AutoCompleteGal

Title source: llm
STIX 2.1

Description

cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.

References (3)

Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/Zimbra/zm-mailbox/compare/8.8.15.p7...8.8.15.p8
Patch, Third Party Advisory x_refsource_confirm
https://github.com/Zimbra/zm-mailbox/pull/1020

Scores

CVSS v3 6.5
EPSS 0.0121
EPSS Percentile 64.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-862
Status published
Products (2)
zimbra/zm-mailbox 8.8.15 (8 CPE variants)
zimbra/zm-mailbox < 8.8.15
Published Mar 20, 2020
Tracked Since Feb 18, 2026