|
Message-ID: <eaa908a8-929d-98d9-8a66-04a8ccc6da53@sysdream.com>
Date: Wed, 30 Jan 2019 09:42:56 +0100
From: Sysdream Labs <labs@...dream.com>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: [CVE-2018-14013] Reflected Cross-Site Scripting (XSS) vulnerabilities
in Zimbra Collaboration
# [CVE-2018-14013] Reflected Cross-Site Scripting (XSS) vulnerabilities
in Zimbra Collaboration
## Description
Two XSS vulnerabilities have been discovered in Zimbra Collaboration
(initially in version 8.8.8).
Zimbra Collaboration is an open source messaging and collaboration solution.
## Vulnerability records
**Access Vector**: Remote
**Security Risk**: Medium
**Vulnerability**: CWE-79
**CVSS Base Score**: 6.1
**CVSS String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
## Details
Two Reflected XSS vulnerabilities allow remote attackers to inject
arbitrary JavaScript in web browsers.
### Proof of Concept - XSS\#1
To reproduce the first XSS, login to https://host.com/zimbra/ and click
on the link below:
```
https://host.com/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=""><svg
onload=alert(1)>
```
### Proof of Concept - XSS\#2
1. First, login to `https://host.com/zimbra/`
2. Click on "Preferences", then on "Import / Export".
3. Finally, just import a file named `test.<svg onload=alert(2)>` to get
the second XSS payload executed.
## Affected versions
Versions < 8.8.11.
## Solution
Update to version 8.8.11 which includes all fixes.
## Timeline (dd/mm/yyyy)
* 12/07/2018 : Initial discovery
* 21/07/2018 : Vendor notification
* 21/07/2018 : Vendor acknowledgment
* 18/10/2018 : Vendor partial fixes in ZCS 8.8.10 patch 1 and 8.8.9
patch 6 (XSS 1)
* 18/12/2018 : Vendor full fixes in ZCS 8.8.11 (XSS 2)
* 30/01/2019 : Public disclosure
## Credits
* Issam Rabhi <i.rabhi@...dream.com>
Thanks to the Zimbra security team for the perfect report handling !
--
SYSDREAM Labs <labs@...dream.com>
GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.