The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-12427 | Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS via the Admin Console. | LOW | Jan 28, 2020 |
| CVE-2023-50808 | Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Modern UI. | -- | Feb 13, 2024 |
| CVE-2022-32294 | Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the zmprove ca command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this cannot be reproduced. | HIGH | Jul 15, 2022 |
| CVE-2022-37042 | Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. | -- | Aug 12, 2022 |
| CVE-2016-9924 | Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks. | HIGH | Apr 3, 2017 |
| CVE-2020-7796 | Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled. | MEDIUM | Feb 24, 2020 |
| CVE-2019-6981 | Zimbra Collaboration Suite 8.7.x through 8.8.11 allows Blind SSRF in the Feed component. | MEDIUM | May 30, 2019 |
| CVE-2019-9621 | Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component. | MEDIUM | May 3, 2019 |
| CVE-2018-10939 | Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. | MEDIUM | May 30, 2018 |
| CVE-2022-37393 | Zimbra\'s sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root. | -- | Aug 18, 2022 |
| CVE-2019-9141 | ZInsVX.dll ActiveX Control 2018.02 and earlier in Zoneplayer contains a vulnerability that could allow remote attackers to execute arbitrary files by setting the arguments to the ActiveX method. This can be leveraged for remote code execution. | HIGH | Aug 14, 2019 |
| CVE-2021-39247 | Zint Barcode Generator before 2.10.0 has a one-byte buffer over-read, related to is_last_single_ascii in code1.c, and rs_encode_uint in reedsol.c. | MEDIUM | Aug 18, 2021 |
| CVE-2022-42125 | Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module. | -- | Nov 18, 2022 |
| CVE-2021-31746 | Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution. | HIGH | Dec 10, 2021 |
| CVE-2018-1002202 | zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | MEDIUM | Jul 25, 2018 |
| CVE-2023-22899 | Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive. | -- | Jan 13, 2023 |
| CVE-2022-24615 | zip4j up to v2.10.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. This could be used to mount a denial of service attack against services that use zip4j library. | MEDIUM | Feb 24, 2022 |
| CVE-2019-19925 | zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive. | MEDIUM | Dec 26, 2019 |
| CVE-2019-13453 | Zipios before 0.1.7 does not properly handle certain malformed zip archives and can go into an infinite loop, causing a denial of service. This is related to zipheadio.h:readUint32() and zipfile.cpp:Zipfile::Zipfile(). | MEDIUM | Jul 18, 2019 |
| CVE-2022-36051 | ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update. | -- | Sep 1, 2022 |
| CVE-2023-22492 | ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user\'s session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4. | -- | Jan 12, 2023 |
| CVE-2023-46238 | ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types including SVG. SVG can include scripts, such as javascript, which can be executed during rendering. Due to a missing security header, an attacker could inject code to an SVG to gain access to the victim’s account in certain scenarios. A victim would need to directly open the malicious image in the browser, where a single session in ZITADEL needs to be active for this exploit to work. If the possible victim had multiple or no active sessions in ZITADEL, the attack would not succeed. This issue has been patched in version 2.39.2 and 2.38.2. | -- | Oct 26, 2023 |
| CVE-2023-49097 | ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9. | -- | Nov 30, 2023 |
| CVE-2024-28197 | Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`. | -- | Mar 12, 2024 |
| CVE-2023-44399 | ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called Ignoring unknown usernames which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available. | -- | Oct 10, 2023 |
| CVE-2023-47111 | ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum. Exceeding the limit, will lock the user and prevent further authentication. In the affected implementation it was possible for an attacker to start multiple parallel password checks, giving him the possibility to try out more combinations than configured in the `Lockout Policy`. This vulnerability has been patched in versions 2.40.5 and 2.38.3. | -- | Nov 9, 2023 |
| CVE-2024-32868 | ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0. | -- | Apr 26, 2024 |
| CVE-2024-29891 | ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim\'s account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17. | -- | Mar 28, 2024 |
| CVE-2024-28855 | ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available. | -- | Mar 19, 2024 |
| CVE-2024-29892 | ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17. | -- | Mar 28, 2024 |
| CVE-2021-25909 | ZIV Automation 4CCT-EA6-334126BF firmware version 3.23.80.27.36371, allows an unauthenticated, remote attacker to cause a denial of service condition on the device. An attacker could exploit this vulnerability by sending specific packets to the port 7919. | MEDIUM | Jan 29, 2021 |
| CVE-2017-17105 | Zivif PR115-204-P-RS V2.3.4.2103 web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the web interface, as demonstrated by a cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=$(reboot) request. | HIGH | Dec 18, 2017 |
| CVE-2017-17107 | Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session. | HIGH | Dec 18, 2017 |
| CVE-2017-16201 | zjjserver is a static file server. zjjserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
| CVE-2022-36537 | ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader. | -- | Aug 27, 2022 |
| CVE-2021-25642 | ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used. | -- | Aug 25, 2022 |
| CVE-2023-38955 | ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to obtain sensitive information about all managed devices, including their IP addresses and device names. | -- | Aug 3, 2023 |
| CVE-2023-38954 | ZKTeco BioAccess IVS v3.3.1 was discovered to contain a SQL injection vulnerability. | -- | Aug 3, 2023 |
| CVE-2022-30515 | ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration. | -- | Nov 9, 2022 |
| CVE-2022-38803 | Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF | -- | Dec 2, 2022 |
| CVE-2022-38802 | Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF | -- | Dec 2, 2022 |
| CVE-2022-44213 | ZKTeco Xiamen Information Technology ZKBio ECO ADMS <=3.1-164 is vulnerable to Cross Site Scripting (XSS). | -- | Dec 9, 2022 |
| CVE-2022-40472 | ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module. | -- | Oct 3, 2022 |
| CVE-2022-36635 | ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do. | -- | Oct 8, 2022 |
| CVE-2017-14680 | ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document. | MEDIUM | Sep 21, 2017 |
| CVE-2018-25032 | zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. | MEDIUM | Mar 26, 2022 |
| CVE-2022-37434 | zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). | LOW | Aug 6, 2022 |
| CVE-2016-9843 | zlib: Big-endian out-of-bounds pointer | HIGH | Apr 10, 2017 |
| CVE-2016-9840 | zlib: Out-of-bounds pointer arithmetic in inftrees.c | MEDIUM | Apr 10, 2017 |
| CVE-2016-9842 | zlib: Undefined left shift of negative number | MEDIUM | Apr 10, 2017 |
