CVE-2022-37043
MEDIUMZimbra Collaboration Suite 8.8.15 and 9.0 - Cross-Site Request Forgery via Preauth POST Endpoints
Title source: llmDescription
An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Patch, Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Security_Center
Scores
CVSS v3
5.7
EPSS
0.0027
EPSS Percentile
18.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-352
Status
published
Products (2)
zimbra/collaboration
8.8.15
zimbra/collaboration
9.0.0
Published
Aug 12, 2022
Tracked Since
Feb 18, 2026