{"id":"CVE-2020-12846","details":"Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a \"Corrupt File\" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.","modified":"2026-04-10T04:22:08.171647Z","published":"2020-06-03T17:15:24.793Z","references":[{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Security_Center"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-build","events":[{"introduced":"0"},{"fixed":"ac6081fa002b1511e926aba37740d2b6c20f3f43"},{"introduced":"0"},{"last_affected":"ac6081fa002b1511e926aba37740d2b6c20f3f43"},{"introduced":"0"},{"last_affected":"29eea219faf34718f0ef1cda7c3f02c89910c96c"},{"introduced":"0"},{"last_affected":"905970576d6fe337150f09c0ad7a0f53aa1a8f42"},{"introduced":"0"},{"last_affected":"0e40da921adb967639011de45841cef4c4601413"},{"introduced":"0"},{"last_affected":"b6cd8f69d2761c014d4a3807f0bdee0011386444"},{"introduced":"0"},{"last_affected":"5561a39cba0898c3bb5e188284d98f498d7a3c9a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"8.8.15"},{"introduced":"0"},{"last_affected":"8.8.15-NA"},{"introduced":"0"},{"last_affected":"8.8.15-p1"},{"introduced":"0"},{"last_affected":"8.8.15-p3"},{"introduced":"0"},{"last_affected":"8.8.15-p5"},{"introduced":"0"},{"last_affected":"9.0.0-NA"},{"introduced":"0"},{"last_affected":"9.0.0-p1"}]}},{"type":"GIT","repo":"https://github.com/zimbra/zm-mailbox","events":[{"introduced":"0"},{"last_affected":"8dd758add476db0ee9a7c1abab136e30ebde01b2"},{"introduced":"0"},{"last_affected":"efd11afe1b526bb03f59b699aaadf6a1449e0244"},{"introduced":"0"},{"last_affected":"d093cdf68ec6716be445c653277f602739a5086b"},{"introduced":"0"},{"last_affected":"a12b964a206748de6db6dc1da2ee16249aabafce"},{"introduced":"0"},{"last_affected":"58996926d8f031827e03ec788d69fd2d16739b1a"},{"introduced":"0"},{"last_affected":"d31ba9d45eb31100ea30461dd859a5a9663b1e4a"},{"introduced":"0"},{"last_affected":"dbe58ce9fb59913993aa2d7a5f2c28a292ee4a86"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.8.15-p2"},{"introduced":"0"},{"last_affected":"8.8.15-p4"},{"introduced":"0"},{"last_affected":"8.8.15-p6"},{"introduced":"0"},{"last_affected":"8.8.15-p7"},{"introduced":"0"},{"last_affected":"8.8.15-p8"},{"introduced":"0"},{"last_affected":"8.8.15-p9"},{"introduced":"0"},{"last_affected":"9.0.0-p2"}]}}],"versions":["8.7.10","8.7.11","8.7.6","8.7.7","8.7.9","8.8.0.beta1","8.8.10","8.8.12","8.8.15","8.8.15.p1","8.8.15.p11","8.8.15.p2","8.8.15.p3","8.8.15.p4","8.8.15.p5","8.8.15.p6","8.8.15.p7","8.8.15.p8","8.8.15.p9","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9","8.8.9.p1","8.8.9.p3","9.0.0","9.0.0.p1","9.0.0.p19","9.0.0.p2","9.0.0.p4","9.0.0.p7","9.0.0.p7.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12846.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}