Main Vulnerability Database Vulnerabilities #VU96813

#VU96813 PHP file inclusion in Zimbra Collaboration - CVE-2024-33535

Published: September 4, 2024

Vulnerability identifier: #VU96813

Vulnerability risk: Critical

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red

CVE-ID: CVE-2024-33535

CWE-ID: CWE-98

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Zimbra Collaboration

Software vendor:
Synacor Inc.

Description

The vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files passed via the "packages" parameter in zimbraAdmin interface. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

Remediation

Install updates from vendor's website.

External links

https://wiki.zimbra.com/wiki/Security_Center#ZCS_8.8.15_Patch_46_Released

#VU96813 PHP file inclusion in Zimbra Collaboration - CVE-2024-33535

Description

Remediation

External links

Please verify you're human