Zimbra Collaboration Server 7.2.2 / 8.0.2 – Local File Inclusion Vulnerability
by CIRT Team
Description:
CVE-2013-7091: Directory traversal vulnerability on /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter.
NOTE: This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
Impact: An attacker can exploit this vulnerability to obtain potentially sensitive information like LDAP root credentials and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer, other attacks are also possible.
Mitigation: Vendor has released patch version.
Reference URL’s:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7091
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Recommended Posts
Cyber Threat Alert: Surge in Attacks via Compromised Third-Party Service Providers
08 Feb 2024 - Articles, English articles, Security Advisories & Alerts
Subscribe here
MEMBER OF:
