Zimbra Collaboration versions prior to 8.8.11 suffer from multiple cross site scripting vulnerabilities.
7c3e5bfa4d1dacfb8dbff2d4fd83b750# [CVE-2018-14013] Reflected Cross-Site Scripting (XSS) vulnerabilities
in Zimbra Collaboration
## Description
Two XSS vulnerabilities have been discovered in Zimbra Collaboration
(initially in version 8.8.8).
Zimbra Collaboration is an open source messaging and collaboration solution.
## Vulnerability records
**Access Vector**: Remote
**Security Risk**: Medium
**Vulnerability**: CWE-79
**CVSS Base Score**: 6.1
**CVSS String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
## Details
Two Reflected XSS vulnerabilities allow remote attackers to inject
arbitrary JavaScript in web browsers.
### Proof of Concept - XSS\#1
To reproduce the first XSS, login to https://host.com/zimbra/ and click
on the link below:
```
https://host.com/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=""><svg
onload=alert(1)>
```
### Proof of Concept - XSS\#2
1. First, login to `https://host.com/zimbra/`
2. Click on "Preferences", then on "Import / Export".
3. Finally, just import a file named `test.<svg onload=alert(2)>` to get
the second XSS payload executed.
## Affected versions
Versions < 8.8.11.
## Solution
Update to version 8.8.11 which includes all fixes.
## Timeline (dd/mm/yyyy)
* 12/07/2018 : Initial discovery
* 21/07/2018 : Vendor notification
* 21/07/2018 : Vendor acknowledgment
* 18/10/2018 : Vendor partial fixes in ZCS 8.8.10 patch 1 and 8.8.9
patch 6 (XSS 1)
* 18/12/2018 : Vendor full fixes in ZCS 8.8.11 (XSS 2)
* 30/01/2019 : Public disclosure
## Credits
* Issam Rabhi <[email protected]>
Thanks to the Zimbra security team for the perfect report handling !
--
SYSDREAM Labs <[email protected]>
GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream