Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-37041PUBLISHED: 2022-08-12
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of ho...
CVE-2022-37042PUBLISHED: 2022-08-12
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execu...
CVE-2022-37043PUBLISHED: 2022-08-12
An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to b...
CVE-2022-37044PUBLISHED: 2022-08-12In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/search?action accepts parameters called extra, title, and onload that are partially sanitised and lead to reflected XSS that allows executing arbitrary JavaScript on the victim's machine.
CVE-2022-37423PUBLISHED: 2022-08-12Neo4j APOC (Awesome Procedures on Cypher) before 4.3.0.7 and 4.x before 4.4.0.8 allows Directory Traversal to sibling directories via apoc.log.stream.
User Rank: Moderator
9/3/2014 | 3:33:25 PM
It's a fine line, but a well understood distinction, especially in a legal liability sense. As with many things legal, check your intuition and sensibilities at the courthouse door.
That being said, I agree that it has definitely emerged to be in the best interest of the Fanchisor to, at the very least, specify security requirements (and probably enshrine it in the franchise agreement). The Franchisors could just as easily revoke the offending Franchisees to protect their reputation. In the vein of "every problem is an opportunity," the smart play would be for a Franchisor to impose security across the Franchise and provide value add to the Franchisees, as well as turn this into a feature of the Franchise -- great service and secure purchases now at *all* UPS Stores.