Vulnerability Report

CVE-2013-7091

Title: Synacor Zimbra Collaboration Suite RCE

Arbitrary File Access

Proof Of Concept

PoC Available for CVE-2013-7091

CWE Category CWE-22
Published Date Dec 13, 2013
Modified Date Apr 29, 2026
Exploit Status Available
Score 5.0 CVSS v2.0
Exploit Probability (EPSS)
92.41%

Vulnerability Summary

CVE-2013-7091: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.

Impacted Vendors

Z
zimbra 1
S
synacor 1

Reference Links

http://osvdb.org/100747 http://packetstormsecurity.com/files/124321 http://www.exploit-db.com/exploits/30085 http://www.exploit-db.com/exploits/30472 http://www.securityfocus.com/bid/64149 https://exchange.xforce.ibmcloud.com/vulnerabilities/89527 http://osvdb.org/100747 http://packetstormsecurity.com/files/124321 http://www.exploit-db.com/exploits/30085 http://www.exploit-db.com/exploits/30472 http://www.securityfocus.com/bid/64149 https://exchange.xforce.ibmcloud.com/vulnerabilities/89527
CVSS v2.0
Source Entity [email protected]
Severity MEDIUM
5.0
Access Vector
N/A
Authentication
N/A
RAW VECTOR AV:N/AC:L/Au:N/C:P/I:N/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2013-7091 Exploits & PoCs (Proof Of Concept)

Exploit-DB https://www.exploit-db.com/exploits/30085
View Code
Exploit-DB https://www.exploit-db.com/exploits/30472
View Code
MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data or affected products updated.

PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector N/A
Complexity N/A
Privileges N/A
Interaction NONE
CVSS Vector String AV:N/AC:L/Au:N/C:P/I:N/A:N

Affected Stack

No specific products linked.