CVE-2024-54663

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-54663

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-54663.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-54663

Published

2024-12-19T23:15:07Z

Modified

2025-06-12T11:02:10.018411Z

Summary

[none]

Details

An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths.

References

Affected packages

Git / github.com/zimbra/zm-mailbox

Affected ranges

Type: GIT
Repo: https://github.com/zimbra/zm-mailbox
Events: Introduced

2ec276e0cd140c34d2e8aa6e2260a10901e43a9d

Fixed

0068692c007c4396024893cf961cfe633667f9ee

Affected versions

10.*

10.0.0

10.0.0-GA

10.0.1

10.0.2

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

9.*

9.0.0