CVE-2022-37043

MEDIUM

Zimbra Collaboration Suite 8.8.15 and 9.0 - Cross-Site Request Forgery via Preauth POST Endpoints

Title source: llm
STIX 2.1

Description

An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds.

References (2)

Core 2
Core References
Patch, Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Security_Center

Scores

CVSS v3 5.7
EPSS 0.0027
EPSS Percentile 18.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-352
Status published
Products (2)
zimbra/collaboration 8.8.15
zimbra/collaboration 9.0.0
Published Aug 12, 2022
Tracked Since Feb 18, 2026