CVE-2020-10194
First published: Fri Mar 20 2020(Updated: )
cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zimbra zm-mailbox | <8.8.15 | |
| Zimbra zm-mailbox | =8.8.15 | |
| Zimbra zm-mailbox | =8.8.15-patch1 | |
| Zimbra zm-mailbox | =8.8.15-patch2 | |
| Zimbra zm-mailbox | =8.8.15-patch3 | |
| Zimbra zm-mailbox | =8.8.15-patch4 | |
| Zimbra zm-mailbox | =8.8.15-patch5 | |
| Zimbra zm-mailbox | =8.8.15-patch6 | |
| Zimbra zm-mailbox | =8.8.15-patch7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-10194.
What is the severity level of CVE-2020-10194?
The severity level of CVE-2020-10194 is medium, with a CVSS score of 6.5.
Which software versions are affected by CVE-2020-10194?
Versions of Zimbra zm-mailbox before 8.8.15.p8 are affected by CVE-2020-10194.
What is the impact of CVE-2020-10194?
CVE-2020-10194 allows authenticated users to request any GAL (Global Address List) account, bypassing the intended domain matching behavior.
How can I fix CVE-2020-10194?
To fix CVE-2020-10194, upgrade to Zimbra zm-mailbox version 8.8.15.p8 or later.
- collector/nvd-index
- vendor/zimbra
- canonical/zimbra zm-mailbox
- version/zimbra zm-mailbox/8.8.15
- version/zimbra zm-mailbox/8.8.15-patch1
- version/zimbra zm-mailbox/8.8.15-patch2
- version/zimbra zm-mailbox/8.8.15-patch3
- version/zimbra zm-mailbox/8.8.15-patch4
- version/zimbra zm-mailbox/8.8.15-patch5
- version/zimbra zm-mailbox/8.8.15-patch6
- version/zimbra zm-mailbox/8.8.15-patch7