CVE-2020-12846 Information

Description

Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exeshbatjar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a \Corrupt File\ error but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/ leaving it open to possible remote execution.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Reference

https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.0