synacor CVE Vulnerabilities & Metrics

Focus on synacor vulnerabilities and metrics.

Last updated: 29 Jun 2025, 22:25 UTC

About synacor Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with synacor. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total synacor CVEs: 65
Earliest CVE date: 23 Sep 2013, 20:55 UTC
Latest CVE date: 14 May 2025, 20:15 UTC

Latest CVE reference: CVE-2024-45516

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 13

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical synacor CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.04

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range Count
0.0-3.9 18
4.0-6.9 42
7.0-8.9 7
9.0-10.0 0

CVSS Distribution Chart

Top 5 Highest CVSS synacor CVEs

These are the five CVEs with the highest CVSS scores for synacor, sorted by severity first and recency.

All CVEs for synacor

CVE-2024-45516 synacor vulnerability CVSS: 0 14 May 2025, 20:15 UTC

An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.

CVE-2025-32354 synacor vulnerability CVSS: 0 29 Apr 2025, 16:15 UTC

In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.

CVE-2025-25065 synacor vulnerability CVSS: 0 03 Feb 2025, 20:15 UTC

SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints.

CVE-2025-25064 synacor vulnerability CVSS: 0 03 Feb 2025, 20:15 UTC

SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.

CVE-2024-54663 synacor vulnerability CVSS: 0 19 Dec 2024, 23:15 UTC

An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths.

CVE-2024-45517 synacor vulnerability CVSS: 0 21 Nov 2024, 17:15 UTC

An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL.

CVE-2024-45513 synacor vulnerability CVSS: 0 21 Nov 2024, 17:15 UTC

An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser when a crafted vCard (VCF) file is processed and printed. This could lead to unauthorized actions within the victim's session.

CVE-2024-45194 synacor vulnerability CVSS: 0 21 Nov 2024, 17:15 UTC

In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.)

CVE-2024-45514 synacor vulnerability CVSS: 0 21 Nov 2024, 16:15 UTC

An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing the injection and execution of arbitrary JavaScript within a victim's session.

CVE-2024-45512 synacor vulnerability CVSS: 0 21 Nov 2024, 16:15 UTC

An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim's session.

CVE-2024-45510 synacor vulnerability CVSS: 0 20 Nov 2024, 20:15 UTC

An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper sanitization of user input. This allows an attacker to inject malicious code into specific fields of an e-mail message. When the victim adds the attacker to their contacts, the malicious code is stored and executed when viewing the contact list. This can lead to unauthorized actions such as arbitrary mail sending, mailbox exfiltration, profile picture alteration, and other malicious actions. Proper sanitization and escaping of input fields are necessary to mitigate this vulnerability.

CVE-2024-45511 synacor vulnerability CVSS: 0 20 Nov 2024, 19:15 UTC

An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A reflected Cross-Site Scripting (XSS) issue exists through the Briefcase module due to improper sanitization of file content by the OnlyOffice formatter. This occurs when the victim opens a crafted URL pointing to a shared folder containing a malicious file uploaded by the attacker. The vulnerability allows the attacker to execute arbitrary JavaScript in the context of the victim's session.

CVE-2024-50599 synacor vulnerability CVSS: 0 07 Nov 2024, 21:15 UTC

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Zimbra Collaboration Suite (ZCS) 8.8.15, affecting one of the webmail calendar endpoints. This arises from improper handling of user-supplied input, allowing an attacker to inject malicious code that is reflected back in the HTML response.

CVE-2022-3569 synacor vulnerability CVSS: 0 17 Oct 2022, 23:15 UTC

Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'.

CVE-2020-18985 synacor vulnerability CVSS: 5.8 15 Dec 2021, 23:15 UTC

An issue in /domain/service/.ewell-known/caldav of Zimbra Collaboration 8.8.12 allows attackers to redirect users to any arbitrary website of their choosing.

CVE-2020-18984 synacor vulnerability CVSS: 4.3 15 Dec 2021, 23:15 UTC

A reflected cross-site scripting (XSS) vulnerability in the zimbraAdmin/public/secureRequest.jsp component of Zimbra Collaboration 8.8.12 allows unauthenticated attackers to execute arbitrary web scripts or HTML via a host header injection.

CVE-2020-13653 synacor vulnerability CVSS: 4.3 02 Jul 2020, 16:15 UTC

An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11. It allows an attacker to inject executable JavaScript into the account name of a user's profile. The injected code can be reflected and executed when changing an e-mail signature.

CVE-2020-12846 synacor vulnerability CVSS: 6.0 03 Jun 2020, 17:15 UTC

Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.

CVE-2020-8633 synacor vulnerability CVSS: 5.0 18 Feb 2020, 22:15 UTC

An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7. When grantors revoked a shared calendar in Outlook, the calendar stayed mounted and accessible.

CVE-2020-7796 synacor vulnerability CVSS: 6.8 18 Feb 2020, 22:15 UTC

Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.

CVE-2019-11318 synacor vulnerability CVSS: 3.5 27 Jan 2020, 19:15 UTC

Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS.

CVE-2015-2249 synacor vulnerability CVSS: 3.5 27 Jan 2020, 19:15 UTC

Zimbra Collaboration before 8.6.0 patch5 has XSS.

CVE-2014-8563 synacor vulnerability CVSS: 7.5 27 Jan 2020, 19:15 UTC

Synacor Zimbra Collaboration before 8.0.9 allows plaintext command injection during STARTTLS.

CVE-2014-5500 synacor vulnerability CVSS: 4.3 27 Jan 2020, 19:15 UTC

Synacor Zimbra Collaboration before 8.0.8 has XSS.

CVE-2015-7609 synacor vulnerability CVSS: 4.3 30 May 2019, 20:29 UTC

Synacor Zimbra Mail Client 8.6 before 8.6.0 Patch 5 has XSS via the error/warning dialog and email body content in Zimbra.

CVE-2015-2230 synacor vulnerability CVSS: 4.3 30 May 2019, 20:29 UTC

Synacor Zimbra Collaboration Server 8.x before 8.7.0 has Reflected XSS in admin console.

CVE-2018-14425 synacor vulnerability CVSS: 4.3 30 May 2019, 18:29 UTC

There is a Persistent XSS vulnerability in the briefcase component of Synacor Zimbra Collaboration Suite (ZCS) Zimbra Web Client (ZWC) 8.8.8 before 8.8.8 Patch 7 and 8.8.9 before 8.8.9 Patch 1.

CVE-2018-10948 synacor vulnerability CVSS: 3.5 30 May 2019, 18:29 UTC

Synacor Zimbra Admin UI in Zimbra Collaboration Suite before 8.8.0 beta 2 has Persistent XSS via mail addrs.

CVE-2018-15131 synacor vulnerability CVSS: 5.0 30 May 2019, 16:29 UTC

An issue was discovered in Synacor Zimbra Collaboration Suite 8.6.x before 8.6.0 Patch 11, 8.7.x before 8.7.11 Patch 6, 8.8.x before 8.8.8 Patch 9, and 8.8.9 before 8.8.9 Patch 3. Account number enumeration is possible via inconsistent responses for specific types of authentication requests.

CVE-2019-9670 synacor vulnerability CVSS: 7.5 29 May 2019, 22:29 UTC

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

CVE-2019-6981 synacor vulnerability CVSS: 4.0 29 May 2019, 22:29 UTC

Zimbra Collaboration Suite 8.7.x through 8.8.11 allows Blind SSRF in the Feed component.

CVE-2019-6980 synacor vulnerability CVSS: 7.5 29 May 2019, 22:29 UTC

Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component.

CVE-2018-20160 synacor vulnerability CVSS: 7.5 29 May 2019, 22:29 UTC

ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.

CVE-2018-18631 synacor vulnerability CVSS: 4.3 29 May 2019, 22:29 UTC

mailboxd component in Synacor Zimbra Collaboration Suite 8.6, 8.7 before 8.7.11 Patch 7, and 8.8 before 8.8.10 Patch 2 has Persistent XSS.

CVE-2018-14013 synacor vulnerability CVSS: 4.3 29 May 2019, 22:29 UTC

Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.

CVE-2018-17938 synacor vulnerability CVSS: 5.0 03 Oct 2018, 08:29 UTC

Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value.

CVE-2018-10939 synacor vulnerability CVSS: 4.3 30 May 2018, 21:29 UTC

Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group.

CVE-2015-7610 synacor vulnerability CVSS: 6.8 30 May 2018, 21:29 UTC

Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token.

CVE-2018-10951 synacor vulnerability CVSS: 4.0 10 May 2018, 01:29 UTC

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API.

CVE-2018-10950 synacor vulnerability CVSS: 5.0 10 May 2018, 01:29 UTC

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure through Verbose Error Messages containing a stack dump, tracing data, or full user-context dump.

CVE-2018-10949 synacor vulnerability CVSS: 5.0 10 May 2018, 01:29 UTC

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors.

CVE-2018-6882 synacor vulnerability CVSS: 4.3 27 Mar 2018, 16:29 UTC

Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.

CVE-2017-8783 synacor vulnerability CVSS: 3.5 04 Feb 2018, 01:29 UTC

Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.

CVE-2017-17703 synacor vulnerability CVSS: 4.3 04 Feb 2018, 01:29 UTC

Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent XSS.

CVE-2017-7288 synacor vulnerability CVSS: 4.3 23 May 2017, 04:29 UTC

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) before 8.7.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2017-6821 synacor vulnerability CVSS: 7.5 23 May 2017, 04:29 UTC

Directory traversal vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.7.6 allows attackers to have unspecified impact via unknown vectors.

CVE-2017-6813 synacor vulnerability CVSS: 7.5 23 May 2017, 04:29 UTC

A service provided by Zimbra Collaboration Suite (ZCS) before 8.7.6 fails to require needed privileges before performing a few requested operations.

CVE-2016-3403 synacor vulnerability CVSS: 6.8 17 May 2017, 14:29 UTC

Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Patch 8 allow remote attackers to hijack the authentication of administrators for requests that (1) add, (2) modify, or (3) remove accounts by leveraging failure to use of a CSRF token and perform referer header checks, aka bugs 100885 and 100899.

CVE-2016-9924 synacor vulnerability CVSS: 7.5 29 Mar 2017, 14:59 UTC

Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks.

CVE-2016-4019 synacor vulnerability CVSS: 4.3 18 Jan 2017, 22:59 UTC

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 104477.

CVE-2016-3999 synacor vulnerability CVSS: 4.3 18 Jan 2017, 22:59 UTC

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 104552 and 104703.

CVE-2016-3415 synacor vulnerability CVSS: 6.4 18 Jan 2017, 22:59 UTC

Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.

CVE-2016-3414 synacor vulnerability CVSS: 4.0 18 Jan 2017, 22:59 UTC

Unspecified vulnerability in Zimbra Collaboration before 8.6.0 Patch 7 allows remote authenticated users to affect availability via unknown vectors, aka bug 102029.

CVE-2016-3413 synacor vulnerability CVSS: 5.0 18 Jan 2017, 22:59 UTC

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 103996.

CVE-2016-3412 synacor vulnerability CVSS: 4.3 18 Jan 2017, 22:59 UTC

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103997, 104413, 104414, 104777, and 104791.

CVE-2016-3411 synacor vulnerability CVSS: 4.3 18 Jan 2017, 22:59 UTC

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 103609.

CVE-2016-3410 synacor vulnerability CVSS: 4.3 18 Jan 2017, 22:59 UTC

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103956, 103995, 104475, 104838, and 104839.

CVE-2016-3409 synacor vulnerability CVSS: 4.3 18 Jan 2017, 22:59 UTC

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 102637.

CVE-2016-3408 synacor vulnerability CVSS: 4.3 18 Jan 2017, 22:59 UTC

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 101813.

CVE-2016-3407 synacor vulnerability CVSS: 4.3 18 Jan 2017, 22:59 UTC

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 104222, 104910, 105071, and 105175.

CVE-2016-3406 synacor vulnerability CVSS: 6.8 18 Jan 2017, 22:59 UTC

Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and 104456.

CVE-2016-3405 synacor vulnerability CVSS: 5.0 18 Jan 2017, 22:59 UTC

Multiple unspecified vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to affect integrity via unknown vectors, aka bugs 103961 and 104828.

CVE-2016-3404 synacor vulnerability CVSS: 5.0 18 Jan 2017, 22:59 UTC

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 103959.

CVE-2016-3402 synacor vulnerability CVSS: 5.0 18 Jan 2017, 22:59 UTC

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect confidentiality via unknown vectors, aka bug 99167.

CVE-2016-3401 synacor vulnerability CVSS: 4.0 18 Jan 2017, 22:59 UTC

Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote authenticated users to affect integrity via unknown vectors, aka bug 99810.

CVE-2013-7091 synacor vulnerability CVSS: 5.0 13 Dec 2013, 18:07 UTC

Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.

CVE-2013-5119 synacor vulnerability CVSS: 6.8 23 Sep 2013, 20:55 UTC

Zimbra Collaboration Suite (ZCS) 6.0.16 and earlier allows man-in-the-middle attackers to obtain access by sniffing the network and replaying the ZM_AUTH_TOKEN token.