Skip to Content
Cloud WAF Cloud WAF
  • Products
    • Cloud WAF
    • Kubernetes WAF
    • WAF API Gateway
    • Bot Protection
    • Layer 7 DDoS Protection
  • Solution
    • By Industry
      • E-Commerce
      • HealthCare
      • Education
      • Financial Services
    • By Cloud – deployment options
      • Containers Service Meshes
      • Google Cloud
      • Microsoft Azure
      • AWS Waf
      • SaaS
      • Hybrid Cloud
      • Private Cloud
  • Partners
  • About
    • OverView
      • About Us
      • Compliances
      • Contact Us
    • Functional View
      • How it works
      • Integration
      • Why choose Us?
  • Pricing
  • Case Studies
  • Blog
  • Resources
    • Common Vulnerabilities and Exposures
    • Learn Cyber Security
    • WAF Comparison
Free Trial
Free Trial

Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account

  • Prophaze WAF
  • March 21, 2020
  • 11:21 pm

Overview :
cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.
  • CONFIRM:https://github.com/Zimbra/zm-mailbox/pull/1020
  • MISC:https://github.com/Zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e
  • MISC:https://github.com/Zimbra/zm-mailbox/compare/8.8.15.p7…8.8.15.p8

ZBUG-1094:Broken GAL search filtering #1020

Issue:
Any authenticated user can request any GAL account

Fix:
Added condition to check if the authenticated account is on same domain as that of galsync account in request. If not, throw permission denied.

Testing done:
Manual testing done with user and galsync account on different domains

  • Prophaze WAF
  • March 21, 2020
  • 11:21 pm

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-1840 : Home Clean Services Management System Stored Cross-Site Scripting (XSS)

CVE-2022-1840 : Home Clean Services Management System Stored Cross-Site Scripting (XSS)

Description Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being

Learn more
CVE-2022-1558 : Multiple Stored Cross-Site Scripting vulnerabilities in WordPress curtain plugin 1.0.2

CVE-2022-1558 : Multiple Stored Cross-Site Scripting vulnerabilities in WordPress curtain plugin 1.0.2

Description Several Cross-Site Scripting vulnerabilities in the Curtain WordPress plugin. Due to these Cross-Site Scripting vulnerabilities, an attacker would be

Learn more
CVE-2022-AVAST2 : Self-Defense Bypass via Repairing Function

CVE-2022-AVAST2 : Self-Defense Bypass via Repairing Function

Description It was noted that there is security checking to prevent some of the Avast processes from loading of undesired/unsigned

Learn more

Why Prophaze ?
Request Demo

Questions
Partners
Privacy Policy
Terms of Service

Plans
WAF Pricing
Webinars
Blog
CVEs
Case Studies
Make in India WAF
WAF Pricing
Free WAF

Protection from all threats
DDoS protection
Automated security policy
AI firewall
Zero-configuration
Dashboard
API security
Compliance
Security updates
Virtual patching

Contact Us

Contact Info India
+91 7994 008 420

Contact Info USA
(+831) 217-6365

Email : security@prophaze.com

© 2022 Copyright © Prophaze Technologies Pvt. Ltd. All rights reserved. Terms & Conditions | Legal and Privacy | Manage Cookies