Skip to Content
Cloud WAF Cloud WAF
  • Products
    • Prophaze WAF 3.0
    • API Security
    • Cloud WAF
    • Kubernetes WAF
    • On Premises WAF
    • WAF API Gateway
    • Bot Protection
    • Layer 7 DDoS Protection
    • Prophaze DNS
  • Solution
    • WAF-as-a-Service
    • MSP and MSSP
    • Prophaze ASPM
    • By Industry
      • E-Commerce
      • Healthcare
      • Education
      • Financial Services
    • By Cloud
      • Containers Service Mesh
      • Google Cloud
      • Microsoft Azure
      • AWS Waf
      • SaaS
      • Hybrid Cloud
      • Private Cloud
  • Partners
  • Pricing
  • About Us
    • OverView
      • About Us
      • Compliance
      • Pricing
      • Contact Us
    • Functional View
      • How it works
      • Integration
      • Why choose Us?
  • Resources
    • Prophaze 5G API Security
    • Case Studies
    • Resource library
      • KB Articles
    • Blog
    • Common Vulnerabilities and Exposures
    • Learn Cyber Security
    • WAF Comparison
    • Documentation
    • FAQ
  • Community
  • http://preferredmode.com/tag/bike-style/page/37/

Free Trial Free Trial
Free Trial

Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account

  • Prophaze WAF
  • March 21, 2020
  • 11:21 pm

[vc_row][vc_column][vc_column_text]

Wisconsin Rapids Overview :
cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.
  • CONFIRM:https://github.com/Zimbra/zm-mailbox/pull/1020
  • MISC:https://github.com/Zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e
  • MISC:https://github.com/Zimbra/zm-mailbox/compare/8.8.15.p7…8.8.15.p8

ZBUG-1094:Broken GAL search filtering #1020

Issue:
Any authenticated user can request any GAL account

Fix:
Added condition to check if the authenticated account is on same domain as that of galsync account in request. If not, throw permission denied.

Testing done:
Manual testing done with user and galsync account on different domains

[/vc_column_text][/vc_column][/vc_row]

  • Prophaze WAF
  • March 21, 2020
  • 11:21 pm

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2023-4291 : Frauscher Sensortechnik FDS101 For FAdC 1.4.24 Code Injection

CVE-2023-4291 : Frauscher Sensortechnik FDS101 For FAdC 1.4.24 Code Injection

Description Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE)

Learn more
CVE-2023-2163 : Linux Kernel 5.4 BPF kernel/bpf/verifier.c backtrack_insn calculation

CVE-2023-2163 : Linux Kernel 5.4 BPF kernel/bpf/verifier.c backtrack_insn calculation

Description Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe,

Learn more
CVE-2023-42454 : SQLpage Up To 0.11.0 Database Connection String sqlpage/sqlpage.json Information Disclosure

CVE-2023-42454 : SQLpage Up To 0.11.0 Database Connection String sqlpage/sqlpage.json Information Disclosure

Description SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly,

Learn more

Why Prophaze ?
Request Demo

Questions
Partners
Privacy Policy
Terms of Service

Plans
WAF Pricing
Blog
CVEs
Case Studies
Make in India WAF
WAF Pricing
Free WAF
Webinar
System Status

Protection from all threats
DDoS protection
Automated security policy
AI firewall
Zero-configuration
Dashboard
API security
Compliance
Security updates
Virtual patching

Contact

Contact Prophaze Labs:

India : +91 7994 008 420

USA : (+831) 217-6365

Email : security@prophaze.com

© 2023 Copyright © Prophaze Technologies Pvt. Ltd. All rights reserved. Terms & Conditions | Legal and Privacy | Manage Cookies