Cross-Site Scripting Vulnerability in Zimbra Web Client
CVE-2020-11737

6.1MEDIUM

Key Information:

Vendor

Zimbra

Status
Zimbra
Vendor
CVE Published:
5 May 2020

What is CVE-2020-11737?

A cross-site scripting vulnerability exists in the Web Client of Zimbra 9.0, enabling remote attackers to execute arbitrary JavaScript by crafting specific links in email messages or calendar invites. This exploit targets 'A' elements with an 'href' attribute containing a 'www' substring, followed immediately by a DOM event listener such as 'onmouseover'. This issue has been addressed in the 9.0.0 Patch 2 release.

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
x_refsource_MISC
https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/
x_refsource_CONFIRM
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.