Cross Site Scripting Vulnerability in Zimbra zm-admin-ajax Prior to 8.8.1
CVE-2017-20191

3.5LOW

Key Information:

Vendor

Zimbra

Status
Zm-admin-ajax
Vendor
CVE Published:
31 March 2024

What is CVE-2017-20191?

A vulnerability exists in Zimbra's zm-admin-ajax component that affects the Form Textbox Field Error Handler. Specifically, the function XFormItem.prototype.setError in the WebRoot/js/ajax/dwt/xforms/XFormItem.js file is susceptible to cross-site scripting attacks. This vulnerability allows an attacker to manipulate the error message argument, leading to potential remote exploitation. The issue is patched in version 8.8.2, and users are strongly advised to upgrade to ensure their systems are secure.

Affected Version(s)

zm-admin-ajax 8.8.0

zm-admin-ajax 8.8.1

References

https://vuldb.com/?id.258621
vdb-entrytechnical-description
https://vuldb.com/?ctiid.258621
signaturepermissions-required
https://github.com/Zimbra/zm-admin-ajax/commit/bb240ce0c7...
patch

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

VulDB GitHub Commit Analyzer
.