CVE-2024-45518: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-45518) was discovered in Zimbra Collaboration (ZCS) affecting versions 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. The vulnerability was disclosed on October 22, 2024 (NVD).

The vulnerability stems from improper input sanitization and misconfigured domain whitelisting, allowing authenticated users to exploit Server-Side Request Forgery (SSRF). The issue has a CVSS v3.1 base score of 8.8 HIGH (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) according to NVD assessment (NVD).

This vulnerability permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE) (Security Center).

The vulnerability has been patched in Zimbra Collaboration versions 10.1.1, 10.0.9, 9.0.0 Patch 41, and 8.8.15 Patch 46. Users are strongly advised to upgrade to these versions or later to mitigate the vulnerability (Security Center).