GraphQL Information Disclosure Vulnerability in Zimbra
CVE-2024-9665

6.5MEDIUM

Key Information:

Vendor: Zimbra
Status: Zimbra
Vendor: CVE Published:; 22 November 2024

What is CVE-2024-9665?

The GraphQL endpoint of Zimbra Collaboration Suite is exposed to a Cross-Site Request Forgery (CSRF) vulnerability, which can be exploited by remote attackers to access sensitive information related to the user’s email account. Exploitation requires user interaction, where the victim must open a malicious email. This vulnerability stems from inadequate CSRF protection, allowing attackers to manipulate requests in the context of the target's session, thereby compromising sensitive data. For users of Zimbra, it is essential to ensure that the latest security patches are applied to mitigate the risks associated with this flaw.

References

https://blog.zimbra.com/2024/10/new-patch-release-reminde...

https://www.zerodayinitiative.com/advisories/ZDI-24-1369/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 22, 2024