Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.ZIMBRA_10_0_5.NASL
HistoryOct 26, 2023 - 12:00 a.m.

Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 44, 9.x < 9.0.0 Patch 37, 10.0.x < 10.0.5 Multiple Vulnerabilities

2023-10-2600:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
26
zimbra collaboration server
vulnerabilities
javascript injection
xss
robohelp package

9.4 High

AI Score

Confidence

High

JSON

According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities including:

  • A security related issue has been fixed to prevent javascript injection through help files.
    (CVE-2007-1280)

  • A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. (CVE-2020-7746)

  • An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. (CVE-2023-45207)

  • Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. (CVE-2023-45206)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(183920);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/15");

  script_cve_id(
    "CVE-2007-1280",
    "CVE-2020-7746",
    "CVE-2023-45206",
    "CVE-2023-45207"
  );
  script_xref(name:"IAVA", value:"2023-A-0583-S");

  script_name(english:"Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 44, 9.x < 9.0.0 Patch 37, 10.0.x < 10.0.5 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a web application that is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities
including:

  - A security related issue has been fixed to prevent javascript injection through help files.
  (CVE-2007-1280)

  - A security related issue has been fixed which impacted one of the third party libraries being used in
  Admin User Inferface. (CVE-2020-7746)

  -	An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in
  Briefcase. (CVE-2023-45207)

  -	Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The
  package has now been made optional. This means that users will now be access help documentation at the URL -
  https://www.zimbra.com/documentation/. (CVE-2023-45206)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.5");
  script_set_attribute(attribute:"see_also", value:"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P37");
  script_set_attribute(attribute:"see_also", value:"https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P44");
  script_set_attribute(attribute:"see_also", value:"https://wiki.zimbra.com/wiki/Security_Center");
  script_set_attribute(attribute:"see_also", value:"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 8.8.15 Patch 44, 9.0.0 Patch 37, 10.0.5, or later.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-7746");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/10/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/26");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:zimbra:collaboration_suite");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("zimbra_web_detect.nbin", "zimbra_nix_installed.nbin");
  script_require_keys("installed_sw/zimbra_zcs");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var app_info = vcf::zimbra::combined_get_app_info();

var constraints = [
  {'min_version':'8.8', 'max_version':'8.8.15', 'fixed_display':'8.8.15 Patch 44', 'Patch':'44'},
  {'min_version':'9.0', 'max_version':'9.0.0', 'fixed_display':'9.0.0 Patch 37', 'Patch':'37'},
  {'min_version':'10.0', 'fixed_version':'10.0.5', 'fixed_display':'10.0.5'}
];

vcf::zimbra::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING,
  flags:{'xss':TRUE}
);
VendorProductVersionCPE
zimbracollaboration_suitecpe:/a:zimbra:collaboration_suite

Related

prion 5
cve 5
redhatcve 1
debiancve 1
nodejs 1
osv 2
ibm 4
ubuntucve 1
veracode 1
github 1
ics 1
redhat 1
prion
prion
Cross site scripting
2024-02-13 16:15:00
Cross site scripting
2024-02-13 16:15:00
Cross site scripting
2007-05-10 00:19:00
cve
cve
CVE-2023-45206
2024-02-13 16:15:08
CVE-2023-45207
2024-02-13 16:15:08
CVE-2020-7746
2020-10-29 08:15:00
redhatcve
redhatcve
CVE-2020-7746
2022-06-14 16:29:19
debiancve
debiancve
CVE-2020-7746
2020-10-29 08:15:00
nodejs
nodejs
Prototype pollution in chart.js
2021-05-10 18:51:27
osv
osv
Prototype pollution in chart.js
2021-05-10 18:47:53
CVE-2020-7746
2020-10-29 08:15:12
ibm
ibm
Security Bulletin: Denial of Service Vulnerability in Chart.js affects IBM Spectrum Protect Plus (CVE-2020-7746)
2020-12-04 08:01:37
Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to Chart.js (CVE-2020-7746)
2023-12-01 10:32:50
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.1
2022-10-28 18:30:08
ubuntucve
ubuntucve
CVE-2020-7746
2020-10-29 00:00:00
veracode
veracode
Prototype Pollution
2020-10-30 03:59:08
github
github
Prototype pollution in chart.js
2021-05-10 18:47:53
ics
ics
Mitsubishi Electric EcoWebServerIII
2022-02-24 12:00:00
redhat
redhat
(RHSA-2022:6813) Important: Red Hat Process Automation Manager 7.13.1 security update
2022-10-05 10:42:47

9.4 High

AI Score

Confidence

High

JSON
Related for ZIMBRA_10_0_5.NASL
prion5cve5redhatcve1debiancve1nodejs1osv2ibm4ubuntucve1veracode1github1ics1redhat1