Cross Site Scripting Vulnerability in Zimbra ZCS by Zimbra
CVE-2023-34192
Key Information:
- Vendor
Zimbra
- Status
- Vendor
- CVE Published:
- 6 July 2023
Badges
What is CVE-2023-34192?
A Cross Site Scripting (XSS) vulnerability in Zimbra ZCS version 8.8.15 allows remote authenticated attackers to execute arbitrary code. This can be achieved by injecting a crafted script that targets the /h/autoSaveDraft function, potentially compromising sensitive user data and leading to unauthorized access.
CISA has reported CVE-2023-34192
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-34192 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
News Articles
The Hacker NewsCISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation
CISA adds Microsoft Partner Center and Zimbra ZCS flaws to its KEV catalog, citing active exploitation. Federal agencies must patch by March 18 to mit
Help Net SecurityCritical XSS vulnerability in Zimbra exploited in the wild (CVE-2023-34192) - Help Net Security
A critical XSS vulnerability (CVE-2023-34192) in popular open source email collaboration suite Zimbra is being exploited by attackers.
References
EPSS Score
84% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 👾
Exploit known to exist
- 📰
First article discovered by Help Net Security
Vulnerability published
Vulnerability Reserved