Cross-Site Scripting Issue in Zimbra Collaboration by Zimbra
CVE-2023-37580

6.1MEDIUM

Key Information:

Vendor: Zimbra
Status: Zimbra
Vendor: CVE Published:; 31 July 2023

Badges

👾 Exploit Exists🟣 EPSS 93%🦅 CISA Reported

What is CVE-2023-37580?

An XSS vulnerability exists in the Zimbra Collaboration Suite prior to version 8.8.15 Patch 41, allowing attackers to inject malicious scripts via the Zimbra Classic Web Client. This flaw can compromise the security and integrity of users' sessions, potentially leading to unauthorized access to sensitive information if exploited. Users are urged to upgrade to the latest version to mitigate this risk.

CISA has reported CVE-2023-37580

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-37580 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

References

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosur...

http://www.openwall.com/lists/oss-security/2023/11/17/2

mailing-list

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 31, 2023
👾
Exploit known to exist
Jul 27, 2023
🦅
CISA Reported
Jul 27, 2023
Vulnerability Reserved
Jul 7, 2023