The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2023-49394 | Zentao versions 4.1.3 and before has a URL redirect vulnerability, which prevents the system from functioning properly. | -- | Jan 10, 2024 | n/a |
| CVE-2020-10069 | Zephyr Bluetooth unchecked packet data results in denial of service. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Parameters (CWE-233). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-f6vh-7v4x-8fjp | LOW | May 27, 2021 | n/a |
| CVE-2021-3510 | Zephyr JSON decoder incorrectly decodes array of array. Zephyr versions >= >1.14.0, >= >2.5.0 contain Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4 | MEDIUM | Oct 6, 2021 | n/a |
| CVE-2023-7060 | Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address. | -- | Mar 17, 2024 | n/a |
| CVE-2018-1000800 | zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs (system sys_ring_buf_get() and sys_ring_buf_put). | HIGH | Sep 6, 2018 | n/a |
| CVE-2021-42952 | Zepl Notebooks before 2021-10-25 are affected by a sandbox escape vulnerability. Upon launching Remote Code Execution from the Notebook, users can then use that to subsequently escape the running context sandbox and proceed to access internal Zepl assets including cloud metadata services. | MEDIUM | Feb 26, 2022 | n/a |
| CVE-2016-7431 | Zero Origin timestamp problems were fixed by Bug 2945 in ntp-4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks. | MEDIUM | Nov 10, 2016 | ipnet_ntp-1.2.0.4 (VxWorks 7) |
| CVE-2023-3747 | Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date & time on the local device where WARP is running. | -- | Sep 7, 2023 | n/a |
| CVE-2021-30175 | ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page. | HIGH | Apr 14, 2021 | n/a |
| CVE-2022-25323 | ZEROF Web Server 2.0 allows /admin.back XSS. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2022-25322 | ZEROF Web Server 2.0 allows /HandleEvent SQL Injection. | HIGH | Feb 18, 2022 | n/a |
| CVE-2020-36400 | ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a different vulnerability than CVE-2021-20235. | HIGH | Jul 1, 2021 | n/a |
| CVE-2019-12725 | Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters. | HIGH | Jul 22, 2019 | n/a |
| CVE-2020-29390 | Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character. | HIGH | Dec 3, 2020 | n/a |
| CVE-2021-41738 | ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerbynet IP parameter, which may allow an authenticated attacker to execute system commands. | MEDIUM | Jun 11, 2022 | n/a |
| CVE-2020-27207 | Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read. | MEDIUM | Nov 27, 2020 | n/a |
| CVE-2021-3119 | Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing issue related to sqlcipher_export in crypto.c and sqlite3StrICmp in sqlite3.c. This may allow an attacker to perform a remote denial of service attack. For example, an SQL injection can be used to execute the crafted SQL command sequence, which causes a segmentation fault. | MEDIUM | Mar 27, 2021 | n/a |
| CVE-2022-40276 | Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. | -- | Nov 5, 2022 | n/a |
| CVE-2014-4913 | ZF2014-03 has a potential cross site scripting vector in multiple view helpers | MEDIUM | Dec 15, 2019 | n/a |
| CVE-2022-40050 | ZFile v4.1.1 was discovered to contain an arbitrary file upload vulnerability via the component /file/upload/1. | -- | Sep 28, 2022 | n/a |
| CVE-2020-8975 | ZGR TPS200 NG in its 2.00 firmware version and 1.01 hardware version, allows a remote attacker with access to the web application and knowledge of the routes (URIs) used by the application, to access sensitive information about the system. | -- | Oct 20, 2022 | n/a |
| CVE-2020-8973 | ZGR TPS200 NG in its 2.00 firmware version and 1.01 hardware version, does not properly accept specially constructed requests. This allows an attacker with access to the network where the affected asset is located, to operate and change several parameters without having to be registered as a user on the web that owns the device. | -- | Oct 19, 2022 | n/a |
| CVE-2005-0758 | zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. | MEDIUM | Oct 16, 2019 | n/a |
| CVE-2024-0210 | Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file | -- | Jan 3, 2024 | n/a |
| CVE-2011-3352 | Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the \'themename\' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context of the affected website. | LOW | Nov 21, 2019 | n/a |
| CVE-2014-2293 | Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php. | HIGH | Mar 26, 2018 | n/a |
| CVE-2020-10870 | Zim through 0.72.1 creates temporary directories with predictable names. A malicious user could predict and create Zim\'s temporary directories and prevent other users from being able to start Zim, resulting in a denial of service. | LOW | Mar 25, 2020 | n/a |
| CVE-2013-1938 | Zimbra 2013 has XSS in aspell.php | MEDIUM | Feb 12, 2020 | n/a |
| CVE-2020-12846 | Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a Corrupt File error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution. | MEDIUM | Jun 5, 2020 | n/a |
| CVE-2022-27924 | Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries. | MEDIUM | Apr 21, 2022 | n/a |
| CVE-2022-27925 | Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. | MEDIUM | Apr 21, 2022 | n/a |
| CVE-2023-37580 | Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client. | -- | Jul 31, 2023 | n/a |
| CVE-2019-8947 | Zimbra Collaboration 8.7.x - 8.8.11P2 contains non-persistent XSS. | MEDIUM | Jan 28, 2020 | n/a |
| CVE-2019-8945 | Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. | MEDIUM | Jan 28, 2020 | n/a |
| CVE-2019-8946 | Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. | MEDIUM | Jan 28, 2020 | n/a |
| CVE-2015-2249 | Zimbra Collaboration before 8.6.0 patch5 has XSS. | LOW | Jan 28, 2020 | n/a |
| CVE-2016-3415 | Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276. | MEDIUM | Feb 2, 2017 | n/a |
| CVE-2018-17938 | Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value. | MEDIUM | Oct 3, 2018 | n/a |
| CVE-2019-11318 | Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS. | LOW | Jan 28, 2020 | n/a |
| CVE-2019-12427 | Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS via the Admin Console. | LOW | Jan 28, 2020 | n/a |
| CVE-2023-50808 | Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Modern UI. | -- | Feb 13, 2024 | n/a |
| CVE-2022-32294 | Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the zmprove ca command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this cannot be reproduced. | HIGH | Jul 15, 2022 | n/a |
| CVE-2022-37042 | Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. | -- | Aug 12, 2022 | n/a |
| CVE-2016-9924 | Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks. | HIGH | Apr 3, 2017 | n/a |
| CVE-2020-7796 | Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled. | MEDIUM | Feb 24, 2020 | n/a |
| CVE-2019-6981 | Zimbra Collaboration Suite 8.7.x through 8.8.11 allows Blind SSRF in the Feed component. | MEDIUM | May 30, 2019 | n/a |
| CVE-2019-9621 | Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component. | MEDIUM | May 3, 2019 | n/a |
| CVE-2018-10939 | Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. | MEDIUM | May 30, 2018 | n/a |
| CVE-2022-37393 | Zimbra\'s sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root. | -- | Aug 18, 2022 | n/a |
| CVE-2019-9141 | ZInsVX.dll ActiveX Control 2018.02 and earlier in Zoneplayer contains a vulnerability that could allow remote attackers to execute arbitrary files by setting the arguments to the ActiveX method. This can be leveraged for remote code execution. | HIGH | Aug 14, 2019 | n/a |
