Zimbra Collaboration Server 7.2.2 / 8.0.2 – Local File Inclusion Vulnerability

by CIRT Team

Description:

CVE-2013-7091: Directory traversal vulnerability on /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter.

NOTE: This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.

Impact: An attacker can exploit this vulnerability to obtain potentially sensitive information like LDAP root credentials and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer, other attacks are also possible.

Mitigation: Vendor has released patch version.

Reference URL’s:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7091
• https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

CIRT Team

Recommended Posts

Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh

06 Nov 2024 - Security Advisories & Alerts

Emerging Threat_Stealer Malware (Lumma C2) Campaign with fake CAPTCHA pages

08 Oct 2024 - Security Advisories & Alerts

Detection of Fog Ransomware Footprint in Cyber Space of Bangladesh

12 Sep 2024 - Security Advisories & Alerts