Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote malicious users to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
synacor zimbra collaboration suite 6.0.0 |
||
synacor zimbra collaboration suite 6.0.2 |
||
synacor zimbra collaboration suite 6.0.3 |
||
synacor zimbra collaboration suite 6.0.1 |
||
synacor zimbra collaboration suite 6.0.10 |
||
synacor zimbra collaboration suite 6.0.12 |
||
synacor zimbra collaboration suite 6.0.4 |
||
synacor zimbra collaboration suite 6.0.5 |
||
synacor zimbra collaboration suite 6.0.13 |
||
synacor zimbra collaboration suite 6.0.14 |
||
synacor zimbra collaboration suite 6.0.6 |
||
synacor zimbra collaboration suite 6.0.7 |
||
synacor zimbra collaboration suite 6.0.15 |
||
synacor zimbra collaboration suite 6.0.16 |
||
synacor zimbra collaboration suite 6.0.8 |
||
synacor zimbra collaboration suite 6.0.9 |
Zimbra mail server exploit claimed as source of dump
A hacker has tried to sell 200,000 valid cleartext Comcast credentials he claims he stole in 2013 from the telco's then-vulnerable mailserver. The telco has reset passwords for the affected accounts after news surfaced of the credentials being sold on the Python Market hidden marketplace. Of the total pool of 590,000 accounts for sale for US$1,000, the company says around a third were accurate. It told the Chicago Tribune the data was probably obtained through phishing, malware, or a breach of a...