Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.
Published 2020-06-03 17:15:25
Updated 2020-06-05 14:39:15
Source MITRE
View at NVD,   CVE.org
Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2020-12846

0.47%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-12846

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.0
MEDIUM AV:N/AC:M/Au:S/C:P/I:P/A:P
6.8
6.4
NIST
8.0
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
2.1
5.9
NIST

CWE ids for CVE-2020-12846

References for CVE-2020-12846

Products affected by CVE-2020-12846

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!