Cross-site request forgery in Zimbra Collaboration - #VU134810
Published: June 18, 2026
Vulnerability identifier: #VU134810
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Synacor Inc.
Affected software:
Zimbra Collaboration
Zimbra Collaboration
Detailed vulnerability description
The vulnerability allows a remote attacker to perform unauthorized actions on behalf of an authenticated user.
The vulnerability exists due to cross-site request forgery in the EWS endpoint when handling crafted cross-site requests. A remote attacker can cause the victim's browser to send a crafted request to perform unauthorized actions on behalf of an authenticated user.
User interaction is required while the victim has an active authenticated session.
Remediation
Install security update from vendor's website.