Vulnerability Description
cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zimbra | Zm-Mailbox | < 8.8.15 |
Related Weaknesses (CWE)
References
- https://github.com/Zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bPatchThird Party Advisory
- https://github.com/Zimbra/zm-mailbox/compare/8.8.15.p7...8.8.15.p8PatchThird Party Advisory
- https://github.com/Zimbra/zm-mailbox/pull/1020PatchThird Party Advisory
- https://github.com/Zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bPatchThird Party Advisory
- https://github.com/Zimbra/zm-mailbox/compare/8.8.15.p7...8.8.15.p8PatchThird Party Advisory
- https://github.com/Zimbra/zm-mailbox/pull/1020PatchThird Party Advisory
FAQ
What is CVE-2020-10194?
CVE-2020-10194 is a vulnerability with a CVSS score of 6.5 (MEDIUM). cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the ...
How severe is CVE-2020-10194?
CVE-2020-10194 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-10194?
Check the references section above for vendor advisories and patch information. Affected products include: Zimbra Zm-Mailbox.