Zimbra Collaboration Cross Site Scripting

`# [CVE-2018-14013] Reflected Cross-Site Scripting (XSS) vulnerabilities  
in Zimbra Collaboration  
  
## Description  
  
Two XSS vulnerabilities have been discovered in Zimbra Collaboration  
(initially in version 8.8.8).  
Zimbra Collaboration is an open source messaging and collaboration solution.  
  
## Vulnerability records  
  
**Access Vector**: Remote  
  
**Security Risk**: Medium  
  
**Vulnerability**: CWE-79  
  
**CVSS Base Score**: 6.1  
  
**CVSS String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
  
## Details  
  
Two Reflected XSS vulnerabilities allow remote attackers to inject  
arbitrary JavaScript in web browsers.  
  
### Proof of Concept - XSS\#1  
  
To reproduce the first XSS, login to https://host.com/zimbra/ and click  
on the link below:  
  
```  
https://host.com/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=""><svg  
onload=alert(1)>  
```  
  
### Proof of Concept - XSS\#2  
  
1. First, login to `https://host.com/zimbra/`  
  
2. Click on "Preferences", then on "Import / Export".  
  
3. Finally, just import a file named `test.<svg onload=alert(2)>` to get  
the second XSS payload executed.  
  
  
## Affected versions  
  
Versions < 8.8.11.  
  
## Solution  
  
Update to version 8.8.11 which includes all fixes.  
  
## Timeline (dd/mm/yyyy)  
  
* 12/07/2018 : Initial discovery  
* 21/07/2018 : Vendor notification  
* 21/07/2018 : Vendor acknowledgment  
* 18/10/2018 : Vendor partial fixes in ZCS 8.8.10 patch 1 and 8.8.9  
patch 6 (XSS 1)  
* 18/12/2018 : Vendor full fixes in ZCS 8.8.11 (XSS 2)  
* 30/01/2019 : Public disclosure  
  
## Credits  
  
* Issam Rabhi <[email protected]>  
  
Thanks to the Zimbra security team for the perfect report handling !  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
`