| CVE ID | CVE-2024-9665 |
| CVSS SCORE | 6.5, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| AFFECTED VENDORS |
Zimbra |
| AFFECTED PRODUCTS |
Zimbra |
| VULNERABILITY DETAILS |
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious email message. The specific flaw exists within the implementation of the graphql endpoint. The issue results from the lack of proper protections against cross-site request forgery (CSRF) attacks. An attacker can leverage this vulnerability to disclose information in the context of the target email account. |
| ADDITIONAL DETAILS |
Zimbra has issued an update to correct this vulnerability. More details can be found at:
https://blog.zimbra.com/2024/10/new-patch-release-reminders-for-missing-attachments-out-of-office-notifications-traffic-light-protocol-tlp-and-mailto-links/ |
| DISCLOSURE TIMELINE |
|
| CREDIT | Anonymous |
