CVE-2024-45518

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-45518

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45518.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-45518

Published

2024-10-22T17:15:03.837Z

Modified

2025-11-20T12:30:07.157070Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE).

References

Affected packages

Git / github.com/zimbra/zm-build

Affected ranges

Type: GIT
Repo: https://github.com/zimbra/zm-build
Events: Introduced

b68c7b31a1d94f94903a79c53f1bd316b792de1d

Fixed

2c67cbdfaebf6a71928749b7146f4852876b63ff

Affected versions

10.*

10.0.0-GA

10.0.1

10.0.4

10.0.5

10.0.6