CVE-2020-35123

In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://wiki.zimbra.com/wiki/Security_Center	Product
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P17	Release Notes Vendor Advisory
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P10	Third Party Advisory Vendor Advisory
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zimbra:collaboration::::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:-::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p1::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p10::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p11::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p12::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p13::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p14::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p15::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p16::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p2::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p3::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p4::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p5::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p6::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p7::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p8::::::
	cpe:2.3:a:zimbra:collaboration:8.8.15:p9::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:-::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p1::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p2::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p3::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p4::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p5::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p6::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p7::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p8::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p9::::::

History

No history.

Information

Published : 2020-12-17 04:15

Updated : 2020-12-22 17:26

NVD link : CVE-2020-35123

Mitre link : CVE-2020-35123

CVE.ORG link : CVE-2020-35123

JSON object : View

Products Affected

zimbra

collaboration

CWE

CWE-611

Improper Restriction of XML External Entity Reference

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2020-35123

6.5^/10

4.0^/10

Attach tags to `CVE-2020-35123`