Strix
26.1K

CVE-2024-9665

MEDIUMCVSS 6.5/10EPSS 0.46%

Last modified

CVE-2024-9665 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. EPSS estimates a 0.46% chance of exploitation in the next 30 days.

Description

Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious email message. The specific flaw exists within the implementation of the graphql endpoint. The issue results from the lack of proper protections against cross-site request forgery (CSRF) attacks. An attacker can leverage this vulnerability to disclose information in the context of the target email account. Was ZDI-CAN-23939.

Metrics

CVSS 3.1
6.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS Probability
0.46%

36.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
ZimbraZimbra< 9.0.0
ZimbraZimbra>= 10.0.0, < 10.0.10
ZimbraZimbra>= 10.1.0, < 10.1.2
ZimbraZimbra9.0.0P0

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-9665?
Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious email message. The specific flaw exists within the implementation of the graphql endpoint. The issue results from the lack of proper protections against cross-site request forgery (CSRF) attacks. An attacker can leverage this vulnerability to disclose information in the context of the target email account. Was ZDI-CAN-23939.
How severe is CVE-2024-9665?
CVE-2024-9665 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.46% probability of exploitation in the next 30 days.
How do I fix CVE-2024-9665?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-9665?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST