First published: Wed Apr 20 2022(Updated: )
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zimbra Collaboration | =8.8.15 | |
Zimbra Collaboration | =9.0.0 | |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-27925 is a vulnerability in Zimbra Collaboration (ZCS) that allows an authenticated attacker to upload arbitrary files and perform remote code execution.
CVE-2022-27925 has a severity rating of 7.2 (high).
Zimbra Collaboration versions 8.8.15 and 9.0.0 are affected by CVE-2022-27925.
An attacker can exploit CVE-2022-27925 by using the mboximport functionality to upload arbitrary files and execute remote code.
Yes, Zimbra Collaboration release 9.0.0 Patch 24 contains a fix for CVE-2022-27925.