{"id":"CVE-2020-10194","details":"cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.","modified":"2026-04-11T09:46:15.875211Z","published":"2020-03-20T21:15:17.047Z","references":[{"type":"FIX","url":"https://github.com/Zimbra/zm-mailbox/pull/1020"},{"type":"FIX","url":"https://github.com/Zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e"},{"type":"FIX","url":"https://github.com/Zimbra/zm-mailbox/compare/8.8.15.p7...8.8.15.p8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-mailbox","events":[{"introduced":"0"},{"fixed":"d30e647f21ecef5490f21facf2e06e228b44a36e"},{"introduced":"0"},{"last_affected":"d30e647f21ecef5490f21facf2e06e228b44a36e"},{"introduced":"0"},{"last_affected":"042b0963ea86e965d9fcd036816ac87d6fe88b9b"},{"introduced":"0"},{"last_affected":"8dd758add476db0ee9a7c1abab136e30ebde01b2"},{"introduced":"0"},{"last_affected":"9665ec3f4ea1a372efce0dfdc3e1226ef0c49249"},{"introduced":"0"},{"last_affected":"efd11afe1b526bb03f59b699aaadf6a1449e0244"},{"introduced":"0"},{"last_affected":"fe16ceac5e47687386b4c54d2d11a28f017f4bf4"},{"introduced":"0"},{"last_affected":"d093cdf68ec6716be445c653277f602739a5086b"},{"introduced":"0"},{"last_affected":"a12b964a206748de6db6dc1da2ee16249aabafce"},{"fixed":"1df440e0efa624d1772a05fb6d397d9beb4bda1e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"8.8.15"},{"introduced":"0"},{"last_affected":"8.8.15-NA"},{"introduced":"0"},{"last_affected":"8.8.15-patch1"},{"introduced":"0"},{"last_affected":"8.8.15-patch2"},{"introduced":"0"},{"last_affected":"8.8.15-patch3"},{"introduced":"0"},{"last_affected":"8.8.15-patch4"},{"introduced":"0"},{"last_affected":"8.8.15-patch5"},{"introduced":"0"},{"last_affected":"8.8.15-patch6"},{"introduced":"0"},{"last_affected":"8.8.15-patch7"}]}}],"versions":["8.8.10","8.8.12","8.8.15","8.8.15.p1","8.8.15.p2","8.8.15.p3","8.8.15.p4","8.8.15.p5","8.8.15.p6","8.8.15.p7","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9"],"database_specific":{"vanir_signatures_modified":"2026-04-11T09:46:15Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10194.json","vanir_signatures":[{"signature_type":"Function","deprecated":false,"source":"https://github.com/zimbra/zm-mailbox/commit/d30e647f21ecef5490f21facf2e06e228b44a36e","id":"CVE-2020-10194-4314dc38","target":{"function":"updateLastLogon","file":"store/src/java/com/zimbra/cs/account/ldap/LdapProvisioning.java"},"digest":{"length":461,"function_hash":"130804680382483964301386928646396783356"},"signature_version":"v1"},{"signature_type":"Line","deprecated":false,"source":"https://github.com/zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e","id":"CVE-2020-10194-81b4ab0b","target":{"file":"store/src/java/com/zimbra/cs/service/account/AutoCompleteGal.java"},"digest":{"threshold":0.9,"line_hashes":["229517679686205523715402217324700394259","56981330284956748620401296164109700603","336897459929083016848280167708331261784","87588029407074370430861276684829618465","103335325727630520655163700639494496382","253093700081280273806403364256489052188"]},"signature_version":"v1"},{"signature_type":"Line","deprecated":false,"source":"https://github.com/zimbra/zm-mailbox/commit/d30e647f21ecef5490f21facf2e06e228b44a36e","id":"CVE-2020-10194-96c6e311","target":{"file":"store/src/java/com/zimbra/cs/account/ldap/LdapProvisioning.java"},"digest":{"threshold":0.9,"line_hashes":["35532726304441886843822597725517922529","86869606749296562789619135716824747966","329209388892522800440224682947664957145","301198994465565842404478996247629867721","249110717571679374632676844697594286961","165150619554600532748713227738510509377","135793442757343879754509969633552703576","99023990949396355242231588957425096724"]},"signature_version":"v1"},{"signature_type":"Function","deprecated":false,"source":"https://github.com/zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e","id":"CVE-2020-10194-aa5bbd03","target":{"function":"handle","file":"store/src/java/com/zimbra/cs/service/account/AutoCompleteGal.java"},"digest":{"length":1002,"function_hash":"121930347612280065506370044909784702061"},"signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}