Unauthorized Access to Sensitive Information via Local File Inclusion Vulnerability
CVE-2024-33535

7.5HIGH

Key Information:

Vendor: Zimbra
Status: Collaboration
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-33535?

A security vulnerability exists in Zimbra Collaboration, specifically in versions 9.0 and 10.0, where an unauthenticated local file inclusion (LFI) flaw can be exploited through the web application's handling of the packages parameter. This weakness allows attackers to include arbitrary local files without requiring authentication, potentially leading to unauthorized access and exposure of sensitive information stored on the server. The vulnerability is confined to files located within a specific directory, highlighting the importance of monitoring and securing file access permissions in the affected versions.

References

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Secur...

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Se...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2024
Vulnerability Reserved
Apr 24, 2024