Stored XSS Vulnerability in Zimbra Collaboration Email Applications
CVE-2023-45207

6.1MEDIUM

Key Information:

Vendor

Zimbra

Status
Collaboration
Vendor
CVE Published:
13 February 2024

What is CVE-2023-45207?

A Cross-Site Scripting (XSS) vulnerability exists in Zimbra Collaboration Suite (ZCS) versions 8.8.15, 9.0, and 10.0. This security flaw allows an attacker to send a seemingly benign PDF document containing malicious JavaScript. If the target user previews this PDF in compatible webmail environments, specifically the Chrome browser, the embedded script is executed, leading to potential unauthorized actions within the user's session. The issue has been addressed by implementing sanitization processes for JavaScript within PDF documents.

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosur...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.