Zimbra Collaboration Cross Site Scripting

2019.02.02
Credit: Issam Rabhi
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

# [CVE-2018-14013] Reflected Cross-Site Scripting (XSS) vulnerabilities in Zimbra Collaboration ## Description Two XSS vulnerabilities have been discovered in Zimbra Collaboration (initially in version 8.8.8). Zimbra Collaboration is an open source messaging and collaboration solution. ## Vulnerability records **Access Vector**: Remote **Security Risk**: Medium **Vulnerability**: CWE-79 **CVSS Base Score**: 6.1 **CVSS String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N ## Details Two Reflected XSS vulnerabilities allow remote attackers to inject arbitrary JavaScript in web browsers. ### Proof of Concept - XSS\#1 To reproduce the first XSS, login to https://host.com/zimbra/ and click on the link below: ``` https://host.com/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=""><svg onload=alert(1)> ``` ### Proof of Concept - XSS\#2 1. First, login to `https://host.com/zimbra/` 2. Click on "Preferences", then on "Import / Export". 3. Finally, just import a file named `test.<svg onload=alert(2)>` to get the second XSS payload executed. ## Affected versions Versions < 8.8.11. ## Solution Update to version 8.8.11 which includes all fixes. ## Timeline (dd/mm/yyyy) * 12/07/2018 : Initial discovery * 21/07/2018 : Vendor notification * 21/07/2018 : Vendor acknowledgment * 18/10/2018 : Vendor partial fixes in ZCS 8.8.10 patch 1 and 8.8.9 patch 6 (XSS 1) * 18/12/2018 : Vendor full fixes in ZCS 8.8.11 (XSS 2) * 30/01/2019 : Public disclosure ## Credits * Issam Rabhi <i.rabhi@sysdream.com> Thanks to the Zimbra security team for the perfect report handling ! -- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top