An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths.
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"293476507431958131404167032974032467993",
"110084317960895620792832720618015736896",
"340213455265195935999810063892549280386",
"84422352583974192002360095392860473907",
"101925642364125023685609308323644423619",
"31561228545396266183464262746029819015",
"64611849619378506423783006189280918231",
"333113243727841782649177014744596852525",
"336439996810183764694236009078007948649",
"63871200752977416365213023436439422401",
"8402874607266349149096628273512944818",
"28066954028696881101906947503684848034",
"265514127333621232979464759051295567772"
]
},
"target": {
"file": "store/src/java/com/zimbra/cs/account/ProvUtil.java"
},
"id": "CVE-2024-54663-219fd941",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/zimbra/zm-mailbox/commit/0068692c007c4396024893cf961cfe633667f9ee"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"293476507431958131404167032974032467993",
"110084317960895620792832720618015736896",
"340213455265195935999810063892549280386",
"84422352583974192002360095392860473907",
"101925642364125023685609308323644423619",
"31561228545396266183464262746029819015",
"64611849619378506423783006189280918231",
"333113243727841782649177014744596852525",
"336439996810183764694236009078007948649",
"63871200752977416365213023436439422401",
"8402874607266349149096628273512944818",
"28066954028696881101906947503684848034",
"265514127333621232979464759051295567772"
]
},
"target": {
"file": "store/src/java/com/zimbra/cs/account/ProvUtil.java"
},
"id": "CVE-2024-54663-5b656ed5",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/zimbra/zm-mailbox/commit/d3367a24f789e991caa7690299d8e0fff15664d2"
},
{
"digest": {
"length": 595.0,
"function_hash": "56417046871487832888266304611322150134"
},
"target": {
"file": "store/src/java/com/zimbra/cs/account/ProvUtil.java",
"function": "doCreateAccountsBulk"
},
"id": "CVE-2024-54663-99904d9a",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/zimbra/zm-mailbox/commit/d3367a24f789e991caa7690299d8e0fff15664d2"
},
{
"digest": {
"length": 595.0,
"function_hash": "56417046871487832888266304611322150134"
},
"target": {
"file": "store/src/java/com/zimbra/cs/account/ProvUtil.java",
"function": "doCreateAccountsBulk"
},
"id": "CVE-2024-54663-bf9e7661",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/zimbra/zm-mailbox/commit/0068692c007c4396024893cf961cfe633667f9ee"
}
]
"2026-04-12T11:59:24Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-54663.json"