CVE-2026-33372

{"id": "CVE-2026-33372", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T14:16:16.357", "references": [{"url": "https://wiki.zimbra.com/wiki/Security_Center", "tags": ["Vendor Advisory", "Release Notes"], "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 10.0 y 10.1. Existe una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Zimbra Webmail debido a una validaci\u00f3n incorrecta de los tokens CSRF. La aplicaci\u00f3n acepta tokens CSRF suministrados dentro del cuerpo de la petici\u00f3n en lugar de requerirlos a trav\u00e9s de la cabecera de petici\u00f3n esperada. Un atacante puede explotar este problema enga\u00f1ando a un usuario autenticado para que env\u00ede una petici\u00f3n manipulada. Esto puede permitir que se realicen acciones no autorizadas en nombre de la v\u00edctima."}], "lastModified": "2026-04-01T15:32:50.733", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8DBE536-EAB0-48FF-A195-C0DB0A7FBCA0", "versionEndExcluding": "10.1.16", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}