CVE-2026-33369

{"id": "CVE-2026-33369", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T14:16:16.017", "references": [{"url": "https://wiki.zimbra.com/wiki/Security_Center", "tags": ["Vendor Advisory", "Release Notes"], "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Zimbra Collaboration (ZCS) 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOAP service within a FolderAction operation. The application fails to properly sanitize user-supplied input before incorporating it into an LDAP search filter. An authenticated attacker can exploit this issue by sending a crafted SOAP request that manipulates the LDAP query, allowing retrieval of sensitive directory attributes."}, {"lang": "es", "value": "Zimbra Collaboration (ZCS) 10.0 y 10.1 contiene una vulnerabilidad de inyecci\u00f3n LDAP en el servicio SOAP de Mailbox dentro de una operaci\u00f3n FolderAction. La aplicaci\u00f3n no logra sanear adecuadamente la entrada proporcionada por el usuario antes de incorporarla a un filtro de b\u00fasqueda LDAP. Un atacante autenticado puede explotar este problema enviando una solicitud SOAP manipulada que manipula la consulta LDAP, permitiendo la recuperaci\u00f3n de atributos de directorio sensibles."}], "lastModified": "2026-04-01T15:36:59.913", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8DBE536-EAB0-48FF-A195-C0DB0A7FBCA0", "versionEndExcluding": "10.1.16", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}