{"id":"CVE-2019-9670","details":"mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.","modified":"2026-04-10T04:20:55.564442Z","published":"2019-05-29T22:29:01.507Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9670"},{"type":"ADVISORY","url":"http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"},{"type":"FIX","url":"https://bugzilla.zimbra.com/show_bug.cgi?id=109129"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html"},{"type":"EVIDENCE","url":"https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570/"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/46693/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-build","events":[{"introduced":"0"},{"fixed":"6c3c77b328a0d7d3bafecb79d202960217922ef0"},{"introduced":"0"},{"last_affected":"6c3c77b328a0d7d3bafecb79d202960217922ef0"},{"introduced":"0"},{"last_affected":"99ed312c10c45aa80e08be0c0ecbce46a53a4ace"},{"introduced":"0"},{"last_affected":"d077c8d575b8d2ea5ef93331958237b22e42e6f7"},{"introduced":"0"},{"last_affected":"2705a9ca4782dcc4bea5f7d3653c2bf93f8582bb"},{"introduced":"0"},{"last_affected":"0867fcb7263fa9a1130b192d8c8538b05db4eee6"},{"introduced":"0"},{"last_affected":"4a8e4bee73cd2c8e5804788ef5212d0d180f5846"},{"introduced":"0"},{"last_affected":"7b0d4aa4baaf4d62a4858b390856771d30db3c37"},{"introduced":"0"},{"last_affected":"58f5c7adeac0dc81b2286c1b948c97c134587bb9"},{"introduced":"0"},{"last_affected":"9f862bb6fb9bf2e77fbcea7ff62e92986c4044c9"},{"introduced":"0"},{"last_affected":"e4d1e657f1d2a5a5e8c56c11d7da34ef61574591"}],"database_specific":{"versions":[{"introduced":"8.7.0"},{"fixed":"8.7.11"},{"introduced":"0"},{"last_affected":"8.7.11-NA"},{"introduced":"0"},{"last_affected":"8.7.11-p1"},{"introduced":"0"},{"last_affected":"8.7.11-p2"},{"introduced":"0"},{"last_affected":"8.7.11-p3"},{"introduced":"0"},{"last_affected":"8.7.11-p4"},{"introduced":"0"},{"last_affected":"8.7.11-p5"},{"introduced":"0"},{"last_affected":"8.7.11-p6"},{"introduced":"0"},{"last_affected":"8.7.11-p7"},{"introduced":"0"},{"last_affected":"8.7.11-p8"},{"introduced":"0"},{"last_affected":"8.7.11-p9"}]}}],"versions":["8.7.10","8.7.11","8.7.11.p1","8.7.11.p2","8.7.11.p3","8.7.11.p4","8.7.11.p5","8.7.11.p6","8.7.11.p7","8.7.11.p8","8.7.11.p9","8.7.6","8.7.7","8.7.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9670.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}