CVE-2022-37043

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-37043
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-37043.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-37043
Published
2022-08-12T15:15:16Z
Modified
2024-09-03T04:18:33.783811Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds.

References

Affected packages

Git / github.com/zimbra/zm-build

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-build
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Last affected

Affected versions

8.*

8.7.10
8.7.11
8.7.6
8.7.7
8.7.9
8.8.0.beta1
8.8.10
8.8.11
8.8.11.p3
8.8.12
8.8.15
8.8.2
8.8.3
8.8.4
8.8.6
8.8.7
8.8.8
8.8.9
8.8.9.p1
8.8.9.p3