SynacorCVEs & Vulnerabilities

81 CVEs affecting Synacor products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

zimbra collaboration suite 190zimbra collaboration server 6
CVE-2018-18631MEDIUM

mailboxd component in Synacor Zimbra Collaboration Suite 8.6, 8.7 before 8.7.11 Patch 7, and 8.8 before 8.8.10 Patch 2 has Persistent XSS.

30 May 2019
6.1
CVSS
CVE-2018-14013MEDIUM

Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.

30 May 2019
6.1
CVSS
CVE-2018-17938MEDIUM

Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value.

3 Oct 2018
5.3
CVSS
CVE-2018-10939MEDIUM

Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group.

31 May 2018
6.1
CVSS
CVE-2015-7610HIGH

Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token.

31 May 2018
8.8
CVSS
CVE-2018-10951MEDIUM

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API.

10 May 2018
6.5
CVSS
CVE-2018-10950MEDIUM

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure through Verbose Error Messages containing a stack dump, tracing data, or full user-context dump.

10 May 2018
5.3
CVSS
CVE-2018-10949MEDIUM

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors.

10 May 2018
5.3
CVSS
CVE-2017-8783MEDIUM

Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.

4 Feb 2018
5.4
CVSS
CVE-2017-17703MEDIUM

Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent XSS.

4 Feb 2018
6.1
CVSS
CVE-2017-7288MEDIUM

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) before 8.7.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

23 May 2017
6.1
CVSS
CVE-2017-6821CRITICAL

Directory traversal vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.7.6 allows attackers to have unspecified impact via unknown vectors.

23 May 2017
9.8
CVSS
CVE-2017-6813CRITICAL

A service provided by Zimbra Collaboration Suite (ZCS) before 8.7.6 fails to require needed privileges before performing a few requested operations.

23 May 2017
9.8
CVSS
CVE-2016-3403HIGH

Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Patch 8 allow remote attackers to hijack the authentication of administrators for requests that (1) add, (2) modify, or (3) remove accounts by leveraging failure to use of a CSRF token and perform referer header checks, aka bugs 100885 and 100899.

17 May 2017
8.8
CVSS
CVE-2016-9924CRITICAL

Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks.

29 Mar 2017
9.8
CVSS
CVE-2016-4019HIGH

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 104477.

19 Jan 2017
7.5
CVSS
CVE-2016-3999MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 104552 and 104703.

19 Jan 2017
6.1
CVSS
CVE-2016-3415CRITICAL

Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.

19 Jan 2017
9.1
CVSS
CVE-2016-3414MEDIUM

Unspecified vulnerability in Zimbra Collaboration before 8.6.0 Patch 7 allows remote authenticated users to affect availability via unknown vectors, aka bug 102029.

19 Jan 2017
6.5
CVSS
CVE-2016-3413HIGH

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 103996.

19 Jan 2017
7.5
CVSS
CVE-2016-3412MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103997, 104413, 104414, 104777, and 104791.

19 Jan 2017
6.1
CVSS
CVE-2016-3411MEDIUMpoc

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 103609.

19 Jan 2017
6.1
CVSS
CVE-2016-3410MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103956, 103995, 104475, 104838, and 104839.

19 Jan 2017
6.1
CVSS
CVE-2016-3409MEDIUM

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 102637.

19 Jan 2017
6.1
CVSS
CVE-2016-3408MEDIUM

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 101813.

19 Jan 2017
6.1
CVSS
CVE-2016-3407MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 104222, 104910, 105071, and 105175.

19 Jan 2017
6.1
CVSS
CVE-2016-3406HIGH

Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and 104456.

19 Jan 2017
8.8
CVSS
CVE-2016-3405HIGH

Multiple unspecified vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to affect integrity via unknown vectors, aka bugs 103961 and 104828.

19 Jan 2017
7.5
CVSS
CVE-2016-3404HIGH

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 103959.

19 Jan 2017
7.5
CVSS
CVE-2016-3402HIGH

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect confidentiality via unknown vectors, aka bug 99167.

19 Jan 2017
7.5
CVSS
CVE-2016-3401MEDIUM

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote authenticated users to affect integrity via unknown vectors, aka bug 99810.

19 Jan 2017
6.5
CVSS
CVE-2013-7091MEDIUMpoc

Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.

13 Dec 2013
5.0
CVSS
CVE-2013-5119MEDIUM

Zimbra Collaboration Suite (ZCS) 6.0.16 and earlier allows man-in-the-middle attackers to obtain access by sniffing the network and replaying the ZM_AUTH_TOKEN token.

23 Sep 2013
6.8
CVSS
← PrevPage 2 / 2Next →