Primary

Context

Zimbra Collaboration Cross-Site Request Forgery Vulnerability in Webmail

Vulnerability

Patched

A cross-site request forgery (CSRF) vulnerability has been identified in Zimbra Collaboration (ZCS) versions 10.0 and 10.1. This vulnerability arises from improper validation of CSRF tokens in Zimbra Webmail, allowing attackers to exploit the issue by tricking authenticated users into submitting crafted requests. The application mistakenly accepts CSRF tokens from the request body instead of the required header, potentially enabling unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of the victim user.

Remediation

Users can upgrade to ZCS versions 10.1.13 or 10.0.18, both of which include the necessary security fix. Instructions for upgrading can be found on the Zimbra Releases page.

Added: Mar 20, 2026, 2:19 PM

Updated: Mar 20, 2026, 2:19 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.4

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.4

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zimbra Collaboration Cross-Site Request Forgery Vulnerability in Webmail

Vulnerability

Impact

Remediation

Affected Products

Zimbra Collaboration

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating