TROYANOSYVIRUS
Volver a CVEs

CVE-2026-33373

HIGH
8.8

Descripcion

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.

Detalles CVE

Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado3/30/2026
Ultima modificacion4/1/2026
Fuentenvd
Avistamientos honeypot0

Debilidades (CWE)

CWE-352

Referencias

https://wiki.zimbra.com/wiki/Security_Center(cve@mitre.org)
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes(cve@mitre.org)
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes(cve@mitre.org)
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy(cve@mitre.org)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.