Description

Two XSS vulnerabilities have been discovered in Zimbra Collaboration (initially in version 8.8.8). Zimbra Collaboration is an open source messaging and collaboration solution.

Vulnerability records

CVE ID: CVE-2018-14013

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-79

CVSS Base Score: 6.1

CVSS String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

Two Reflected XSS vulnerabilities allow remote attackers to inject arbitrary JavaScript in web browsers.

Proof of Concept 1: Reflected XSS

To reproduce the first XSS, login to https://host.com/zimbra/ and click on the link below:

https://host.com/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=""><svg onload=alert(1)>

Proof of Concept 2: DOM-based XSS

  1. First, login to https://host.com/zimbra/

  2. Click on "Preferences", then on "Import / Export".

  3. Finally, just import a file named test.<svg onload=alert(2)> to get the second XSS payload executed.

Affected versions

Versions < 8.8.11.

Solution

Update to version 8.8.11 which includes all fixes.

Timeline (dd/mm/yyyy)

  • 12/07/2018 : Initial discovery
  • 21/07/2018 : Vendor notification
  • 21/07/2018 : Vendor acknowledgment
  • 18/10/2018 : Vendor partial fixes in ZCS 8.8.10 patch 1 and 8.8.9 patch 6 (XSS 1)
  • 18/12/2018 : Vendor full fixes in ZCS 8.8.11 (XSS 2)
  • 30/01/2019 : Public disclosure

Credits

Thanks to the Zimbra security team for the perfect report handling!