CSRF Token Bypass in Zimbra Collaboration Suite Webmail Component

CSRF Token Bypass in Zimbra Collaboration Suite Webmail Component

CVE-2022-37043 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds.

Learn more about our Web App Pen Testing.