漏洞描述
由于 Zimbra Collaboration(ZCS)10.0 和 10.1 的 Webmail Classic界面中存在一个本地文件包含(LFI)漏洞,原因是 RestFilter servlet 中用户提供的请求参数处理不当。未经认证的远程攻击者可以向 /h/rest端点设计请求,影响内部请求调度,从而允许包含 WebRoot 目录中的任意文件。
Zimbra Collaboration 存在本地文件包含漏洞(CVE-2025-68645)
PoC代码
暂无相关漏洞推荐
- POC Zimbra Collaboration Suite /h javax.servlet.include.path_info 文件包含漏洞(CVE-2025-68645)
- POC CVE-2025-27915: Zimbra - Cross-Site Scripting via ICS Files
- CVE-2019-9670: Zimbra Collaboration XXE
- POC CVE-2013-7091: Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
- POC CVE-2018-14013: Synacor Zimbra Collaboration Suite Collaboration <8.8.11 - Cross-Site Scripting
- POC CVE-2019-9670: Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
- POC CVE-2020-7796: Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery
- POC CVE-2022-27926: Zimbra Collaboration (ZCS) - Cross Site Scripting
- POC CVE-2022-37042: Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
- POC CVE-2023-34192: Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
- POC CVE-2023-37580: Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
- POC CVE-2024-45519: Zimbra Collaboration Suite < 9.0.0 - Remote Code Execution
- POC CVE-2022-37042: Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution