{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-33373", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T15:38:23.209Z", "dateReserved": "2026-03-19T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T14:45:52.857Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:36:08.584136Z", "id": "CVE-2026-33373", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:38:23.209Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 10.0 y 10.1. Existe una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en el cliente web de Zimbra debido a la emisi\u00f3n de tokens de autenticaci\u00f3n sin protecci\u00f3n CSRF durante ciertas transiciones de estado de cuenta. Espec\u00edficamente, los tokens generados despu\u00e9s de operaciones como habilitar la autenticaci\u00f3n de dos factores o cambiar una contrase\u00f1a pueden carecer de aplicaci\u00f3n de CSRF. Mientras dicho token est\u00e9 activo, las peticiones SOAP autenticadas que desencadenan la generaci\u00f3n de tokens o cambios de estado pueden realizarse sin validaci\u00f3n CSRF. Un atacante podr\u00eda explotar esto induciendo a una v\u00edctima a enviar peticiones manipuladas, lo que podr\u00eda permitir acciones sensibles en la cuenta como deshabilitar la autenticaci\u00f3n de dos factores. El problema se mitiga asegurando que la protecci\u00f3n CSRF se aplique consistentemente para todos los tokens de autenticaci\u00f3n emitidos."}], "id": "CVE-2026-33373", "lastModified": "2026-04-01T16:23:50.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T15:16:29.410", "references": [{"source": "cve@mitre.org", "url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"source": "cve@mitre.org", "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes"}, {"source": "cve@mitre.org", "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes"}, {"source": "cve@mitre.org", "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}