CVE-2024-33535

HIGH

Zimbra Collaboration 9.0-10.0 < 10.0.8 - Unauthenticated Local File Inclusion via Packages Parameter

Title source: llm

Description

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory.

References (2)

Core 2

Core References

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes

Scores

CVSS v3 7.5

EPSS 0.0055

EPSS Percentile 41.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

zimbra/collaboration 9.0.0 (38 CPE variants)

zimbra/collaboration 10.0.0 - 10.0.8

Published Aug 12, 2024

Tracked Since Feb 18, 2026