CVE Vulnerability

CVE-2020-10194

cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/Zimbra/zm-mailbox/pull/1020 Patch Third Party Advisory
https://github.com/Zimbra/zm-mailbox/compare/8.8.15.p7...8.8.15.p8 Patch Third Party Advisory
https://github.com/Zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch1:*:*:*:*:*:*
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch2:*:*:*:*:*:*
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch3:*:*:*:*:*:*
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch4:*:*:*:*:*:*
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch5:*:*:*:*:*:*
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch6:*:*:*:*:*:*
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch7:*:*:*:*:*:*
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:-:*:*:*:*:*:*
cpe:2.3:a:zimbra:zm-mailbox:*:*:*:*:*:*:*:*
Information

Published : 2020-03-20 09:15

Updated : 2021-07-21 11:39

NVD link : CVE-2020-10194

Mitre link : CVE-2020-10194

Products Affected
No products.
CWE
CWE-862