CVE-2024-54663

Description

An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths.

PUBLISHED Reserved 2024-12-04 | Published 2024-12-19 | Updated 2024-12-31 | Assigner mitre

References

wiki.zimbra.com/wiki/Zimbra_Releases/10.1.3

wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11

cve.org (CVE-2024-54663)

nvd.nist.gov (CVE-2024-54663)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.