Attackers are exploiting a critical Zimbra Collaboration Suite cross-site scripting vulnerability. CVE-2023-37580 affects the Zimbra Classic Web Client. Successful exploitation of the vulnerability may allow an attacker to compromise the confidentiality and integrity of the target system.
CISA has added the CVE-2023-37580 to its Known Exploited Vulnerabilities Catalog urging users to apply the patch before August 17.
Cross-Site Scripting is a form of security flaw that has been discovered in several web applications. Attackers can employ XSS payload to inject client-side scripts into web pages that other users are viewing. An attacker could exploit a cross-site scripting vulnerability to get around access constraints like the same-origin policy. Because the submitted script is saved on the server of the targeted site, a stored XSS vulnerability is highly dangerous.
The vulnerability is being exploited in the wild, yet no proof of concept is publicly available.
Zimbra Collaboration Suite is a widely deployed web client and email server that provides complete email, address book, calendar, and task solutions. All the apps are available on Zimbra Web Client, Zimbra Desktop offline client, Outlook, and various other email clients and mobile devices. Over 200,000 businesses in 140 countries currently use this email and collaboration platform.
Affected versions
The vulnerability affects the Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 41.
Mitigation
Zimbra has fixed the vulnerability in version 8.8.15 Patch 41. For more information, please refer to the Zimbra security update.
Qualys Detection
Qualys customers can scan their devices with QID 378721 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P41