CVE-2024-9665

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-9665

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-9665.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-9665

Published

2024-11-22T21:15:23.923Z

Modified

2025-11-16T12:12:37.109368Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious email message.

The specific flaw exists within the implementation of the graphql endpoint. The issue results from the lack of proper protections against cross-site request forgery (CSRF) attacks. An attacker can leverage this vulnerability to disclose information in the context of the target email account. Was ZDI-CAN-23939.

References

Affected packages

Git / github.com/zimbra/zm-build

Affected ranges

Type: GIT
Repo: https://github.com/zimbra/zm-build
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b6cd8f69d2761c014d4a3807f0bdee0011386444

Affected versions

8.*

8.7.10

8.7.11

8.7.6

8.7.7

8.7.9

8.8.0.beta1

8.8.10

8.8.11

8.8.11.p3

8.8.12

8.8.15

8.8.2

8.8.3

8.8.4

8.8.6

8.8.7

8.8.8

8.8.9

8.8.9.p1

8.8.9.p3