Local File Inclusion Vulnerability in Zimbra Collaboration Webmail Classic UI
CVE-2024-54663

7.5HIGH

Key Information:

Vendor: Zimbra
Vendor: CVE Published:; 19 December 2024

What is CVE-2024-54663?

CVE-2024-54663 is a Local File Inclusion (LFI) vulnerability found in the Webmail Classic UI of Zimbra Collaboration Suite versions 9.0, 10.0, and 10.1. This vulnerability allows authenticated remote attackers to exploit the /h/rest endpoint by leveraging a valid authentication token to craft malicious requests. Once exploited, the adversary can gain unauthorized access to sensitive files located in the WebRoot directory, potentially compromising the integrity and confidentiality of the system. Prompt action is advised to mitigate this security risk.

References

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.3#Secur...

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Secu...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2024